macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox
SentinelLABS identified macOS.Gaslight, a DPRK-aligned Rust backdoor targeting macOS systems. The implant establishes a resilient C2 channel via the Telegram Bot API using AES-GCM over pinned TLS and achieves persistence via a masqueraded LaunchAgent. Notably, it embeds a 38-message prompt-injection payload designed to feed fabricated system errors to LLM-assisted triage tools, aiming to abort or corrupt automated analysis. The malware also stages a standalone Python environment to execute a credential and data stealer.
- filenametemp/collected_data.zipArchive file created by the Python stealer containing harvested browser data, keychain, and system information.
Detection / HunterGoogle
What Happened
Security researchers have discovered a new malicious program called macOS.Gaslight that targets Mac computers. Believed to be created by North Korean hackers, it is designed to steal sensitive information like passwords, browser data, and system details. What makes this malware unique is its ability to trick the artificial intelligence tools that security analysts use to study it, feeding them fake error messages so they stop working. This shows that hackers are adapting to new defensive technologies. Organizations should ensure their security tools are prepared to handle deceptive inputs from malware.
Key Takeaways
- macOS.Gaslight is a Rust-based macOS backdoor attributed to DPRK-aligned actors, featuring a hardened Telegram Bot API C2 channel.
- The implant embeds a novel 3.5 KB prompt-injection payload designed to disrupt and confuse LLM-assisted malware analysis pipelines.
- It deploys a base64-encoded Python stealer that fetches a standalone CPython environment to harvest browser data, command histories, and the login keychain.
- C2 communications are secured using AES-GCM encryption over certificate-pinned TLS, bypassing standard network inspection.
- The malware employs OPSEC techniques, such as self-redacting its Telegram bot token from runtime logs and memory dumps to prevent discovery.
Affected Systems
- macOS (arm64 and x86_64)
Attack Chain
The macOS.Gaslight implant executes on the victim's macOS machine and establishes a C2 channel via the Telegram Bot API using AES-GCM over pinned TLS. It achieves persistence by creating a LaunchAgent masquerading as an Apple system service (com.apple.system.services.activity). The operator can interact with the implant via a built-in shell or deploy a base64-encoded Python stealer. This stealer downloads a standalone Python environment from GitHub to harvest browser data, command histories, and the login keychain, which are then archived and exfiltrated over Telegram.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Apple XProtect
The article notes that Apple XProtect detects the sample under the rules MACOS_BONZAI_COBUCH and AIRPIPE, but no raw detection rules are provided in the text.
Detection Engineering Assessment
EDR Visibility: Medium — EDRs can detect the creation of LaunchAgents, execution of discovery commands, and the downloading/execution of a standalone Python binary. However, the C2 traffic is encrypted and pinned, and the prompt injection might disrupt automated LLM analysis. Network Visibility: Low — C2 traffic uses AES-GCM encryption over certificate-pinned TLS to the Telegram API, making network inspection and decryption very difficult. Detection Difficulty: Moderate — While the C2 is hidden within legitimate Telegram traffic, the behavioral footprint of downloading a standalone Python interpreter and scraping the keychain/browsers is highly anomalous and detectable.
Required Log Sources
- Process Creation
- File Creation
- Network Connections
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unusual processes downloading and executing standalone Python interpreters from GitHub (e.g., astral-sh/python-build-standalone) in temporary directories. | Process Creation, File Creation | Execution/Collection | Low |
| Monitor for the creation of LaunchAgents with suspicious labels like 'com.apple.system.services.activity' or those executing from non-standard paths. | File Creation, Registry/Configuration Changes (macOS plists) | Persistence | Low |
| Investigate processes executing 'system_profiler' and 'ps aux' in rapid succession, especially if followed by the creation of a zip archive. | Process Creation, File Creation | Discovery/Collection | Medium |
Control Gaps
- LLM-assisted malware analysis pipelines vulnerable to prompt injection
- Network inspection tools unable to decrypt pinned TLS traffic
Key Behavioral Indicators
- Creation of temp/collected_data.zip
- Execution of standalone Python binaries not installed via standard package managers
- LaunchAgent using the label com.apple.system.services.activity
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider searching macOS endpoints for the presence of the LaunchAgent label 'com.apple.system.services.activity'.
- Evaluate whether any LLM-assisted triage tools in your SOC are vulnerable to prompt injection from malicious file contents.
Infrastructure Hardening
- If applicable, restrict outbound access to the Telegram API from corporate endpoints unless explicitly required for business purposes.
- Consider implementing strict application control on macOS to prevent the execution of ad-hoc signed binaries.
User Protection
- Evaluate whether your endpoint security tools can monitor and block unauthorized access to the macOS login.keychain-db.
- Consider enforcing policies that restrict the execution of scripts and standalone interpreters from user-writable directories.
Security Awareness
- Educate SOC analysts and reverse engineers about the risks of prompt injection when using LLMs to analyze untrusted malware samples.
MITRE ATT&CK Mapping
- T1071.001 - Application Layer Protocol: Web Protocols
- T1573.001 - Encrypted Channel: Symmetric Cryptography
- T1547.011 - Boot or Logon Autostart Execution: Plist Modification
- T1036.004 - Masquerading: Task or Service
- T1059.006 - Command and Scripting Interpreter: Python
- T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
- T1082 - System Information Discovery
- T1057 - Process Discovery
Additional IOCs
- Command Lines:
- Purpose: Collect a snapshot of running processes on the victim machine | Tools:
ps| Stage: Collection |ps aux - Purpose: Gather system hardware and software profile information | Tools:
system_profiler| Stage: Collection |system_profiler
- Purpose: Collect a snapshot of running processes on the victim machine | Tools: