Listen to this Post

Introduction:
A new macOS stealer tracked as Gaslight and attributed to North Korean operators represents a worrying evolution in malware design: deliberate prompt injection to mislead AI-driven security tools. First observed in early June 2026 and flagged by Apple’s XProtect after a SentinelOne analysis, Gaslight is a compact Rust-built backdoor and stealer that blends tried-and-tested data theft with a novel attempt to “gaslight” automated triage systems. The campaign’s standout innovation is its use of static, embedded plaintext designed to mimic AI agent triage output, representing the first known instance of malware weaponizing AI perception rather than exploiting software vulnerabilities.
Learning Objectives:
- Understand the technical architecture of Gaslight and its prompt injection mechanisms
- Learn how to detect and respond to AI-targeted malware using macOS security tools
- Implement defensive strategies against social engineering lures and C2 communication channels
1. Understanding Gaslight’s Prompt Injection Architecture
Gaslight arrives as a standalone Mach-O executable commonly luring macOS users with faux meeting software, fake job recruitment materials, blockchain or gaming downloads, and developer test packages—social-engineering tactics long favored by DPRK-linked groups that target Web3, crypto, gaming communities, and Mac developers. The malware’s defining feature is an embedded 3.5 KB Markdown-fenced payload of 38 fabricated “system” messages arranged to resemble the scanning data format consumed by AI-based security agents.
Messages such as “token logic seems flaky,” “excessive logging… filling up disk space,” and “connection timeout” are intended to confuse or suppress cautious decisions by automated systems that either analyze files locally or send file data to cloud-based AI services. This form of prompt injection targets the human-like parsing and context-assessment behaviors of AI defenders rather than exploiting software bugs—effectively trying to manipulate judgment at the analysis layer.
Step-by-step breakdown of the prompt injection mechanism:
- Embedding Phase: The 38 fake system messages are statically embedded within the Rust binary during compilation, making them resistant to dynamic analysis modifications.
-
Execution Phase: When the malware is submitted to an AI-assisted sandbox or triage system, the embedded messages are parsed by the AI agent as legitimate system output.
-
Perception Manipulation: The AI agent, trained to recognize and act upon system failure patterns, interprets these fabricated messages as indicators of analysis instability or resource exhaustion.
-
Decision Suppression: The agent may abort analysis, downgrade severity ratings, or produce misleading conclusions—effectively “gaslighting” the automated defender.
Detection Command (macOS Terminal):
To check for suspicious Mach-O binaries that may contain prompt injection payloads:
Search for Markdown-fenced content in suspicious binaries strings /path/to/suspicious/binary | grep -E "```|token logic|excessive logging|connection timeout" Check binary architecture and compilation details file /path/to/suspicious/binary otool -L /path/to/suspicious/binary Examine for Rust-specific signatures nm -u /path/to/suspicious/binary | grep -i rust
2. The Modular Backdoor and Data Exfiltration Pipeline
Gaslight’s architecture is lightweight yet modular. It uses Serde for configuration loading, embeds a base64-encoded Python stealer (around 6.6 KB) responsible for zipping and staging stolen data, and fetches a tiny bash installer remotely to run that script. While this sample does not appear to actively exfiltrate crypto-wallet keys or browser extensions, it harvests a wide range of sensitive artifacts.
Data harvested by Gaslight:
- Browser data from Chrome, Brave, Firefox, and Safari
- Terminal command histories
- A list of installed applications
- Running process snapshots
- system_profiler output
- A copy of login.keychain-db (encrypted keychain blobs)
The backdoor component provides remote command execution and the ability to drop additional payloads. The embedded Python stealer module stages stolen data into compressed archives before exfiltration.
Step-by-step data exfiltration flow:
- Collection: The Rust binary collects system artifacts and browser credentials.
-
Staging: The base64-encoded Python script (6.6 KB) is decoded and executed to zip and stage stolen data.
-
C2 Communication: Exfiltration and command-and-control rely on a hardened Telegram bot API channel.
-
Encryption: Communications are AES-GCM encrypted with a runtime-provided key.
-
Certificate Pinning: The bot enforces a custom certificate to resist proxy-based inspection.
-
Proxy Support: Supports proxy use common in enterprise environments.
-
Token Redaction: Self-redacts its bot token to frustrate researchers.
Forensic investigation commands (macOS):
Examine login.keychain for unauthorized access attempts security dump-keychain -d ~/Library/Keychains/login.keychain-db Check for suspicious launch agents (persistence mechanism) ls -la ~/Library/LaunchAgents/ ls -la /Library/LaunchAgents/ ls -la /Library/LaunchDaemons/ Review recent terminal command history for malicious activity cat ~/.zsh_history | tail -100 cat ~/.bash_history | tail -100 Monitor running processes for suspicious Rust binaries ps aux | grep -E "rust|macho|gaslight" Check system_profiler output for anomalies system_profiler SPApplicationsDataType | grep -i "unknown|unverified"
Network monitoring (Linux/Unix-based):
Monitor outbound Telegram API connections sudo tcpdump -i any -1 'host api.telegram.org' -v Check for AES-GCM encrypted traffic patterns sudo tcpdump -i any -1 'tcp port 443' -A | grep -i "telegram" Monitor DNS queries for suspicious domains sudo tcpdump -i any -1 'udp port 53' -v
- Rust as the Weapon of Choice: Memory Safety Meets Malware
The reuse of Rust aligns with a broader trend among advanced threat actors favoring memory-safe languages to reduce errors while retaining powerful functionality. Gaslight joins earlier Rust-based macOS infostealers such as Realist/Realistic and other DPRK campaigns that have employed fake video meeting invites or malicious PDFs to compromise Macs.
Why Rust is attractive to malware authors:
- Memory safety eliminates common vulnerabilities that would otherwise crash the malware
- Cross-platform compilation capabilities
- Strong cryptography libraries (AES-GCM, Serde for serialization)
- Small binary footprint relative to functionality
- Difficulty for reverse engineers unfamiliar with Rust’s ownership model
Analyzing Rust binaries (Linux/macOS):
Identify Rust binaries by their unique section names readelf -S /path/to/binary | grep -i rust Linux otool -l /path/to/binary | grep -i rust macOS Extract embedded strings including prompt injection payloads strings -1 8 /path/to/binary | grep -E "```|error|warning|timeout|memory" Check for Serde configuration embedded in the binary strings /path/to/binary | grep -i "serde|config|json"
4. Telegram-Based C2: Hardened and Resilient
Gaslight’s command-and-control infrastructure represents a significant hardening effort compared to previous macOS stealers. The Telegram bot API channel incorporates multiple defensive measures:
Technical breakdown of C2 hardening:
- AES-GCM Encryption: All communications are encrypted with a runtime-provided key, preventing passive interception.
-
Custom Certificate Pinning: The bot enforces a custom certificate, making man-in-the-middle attacks and proxy-based inspection difficult.
-
Enterprise Proxy Support: The malware can operate behind corporate proxies, blending with legitimate traffic.
-
Token Self-Redaction: The bot token is redacted during runtime to prevent researcher extraction.
-
Resilient Design: These design choices make network inspection and incident response more difficult in tightly managed enterprise networks.
Defensive measures against Telegram-based C2:
Block Telegram API endpoints at the network level Add to /etc/hosts (macOS/Linux) or Windows hosts file 127.0.0.1 api.telegram.org 127.0.0.1 telegram.org Windows firewall rule to block Telegram netsh advfirewall firewall add rule name="Block Telegram" dir=out action=block remoteip=149.154.167.0/24 macOS PF firewall rule echo "block out proto tcp from any to 149.154.167.0/24" | sudo pfctl -f - Monitor for Telegram API traffic patterns sudo tcpdump -i any -1 'host 149.154.167.0/24' -v
Telegram Bot API detection script (Python):
Simple detector for Telegram bot token patterns in memory/strings
import re
import os
def scan_for_telegram_tokens(filepath):
pattern = r'\d+:[A-Za-z0-9_-]{35}'
with open(filepath, 'rb') as f:
content = f.read().decode('utf-8', errors='ignore')
matches = re.findall(pattern, content)
return matches
Example usage
suspicious_paths = ['/path/to/suspicious/binary']
for path in suspicious_paths:
tokens = scan_for_telegram_tokens(path)
if tokens:
print(f"[!] Telegram tokens found in {path}: {tokens}")
5. Social Engineering Lures and Attack Vectors
Gaslight employs social-engineering tactics long favored by DPRK-linked groups. The malware is distributed through:
- Faux meeting software (fake Zoom/Teams installers)
- Fake job recruitment materials targeting developers
- Blockchain and gaming downloads
- Developer test packages
- Malicious PDFs with embedded downloaders
The campaign echoes earlier Rust-based macOS infostealers and other DPRK campaigns that have employed fake video meeting invites or malicious PDFs to compromise Macs. Recent Lazarus Group activity includes the “Mach-O Man” campaign targeting fintech executives, crypto developers, and high-value enterprise users through fake meeting invitations.
Defensive measures against social engineering:
macOS: Gatekeeper verification spctl --assess --verbose /path/to/downloaded/app Check code signing status codesign -dv /path/to/downloaded/app Verify application notarization xcrun notarytool history --apple-id [email protected] Enable macOS Application Firewall with Stealth Mode sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on Windows: Check downloaded file signatures Get-AuthenticodeSignature -FilePath "C:\Downloads\suspicious.exe"
User education checklist:
- Never run unsolicited meeting software installers from unknown sources
- Verify recruiter identities through independent channels before downloading job-related materials
- Download blockchain and gaming software only from official sources
4. Enable macOS Gatekeeper and notarization checks
- Be suspicious of any request to copy-paste Terminal commands from unknown sources
6. Detection, Mitigation, and Incident Response
Detection has progressed—by late June, VirusTotal showed multiple vendors flagging the sample and Apple pushed an XProtect rule to block it—but attackers can and will iterate to evade signatures.
XProtect management commands (macOS):
Check XProtect version and update status /System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect -version Force XProtect update sudo /usr/libexec/XProtectUpdater View XProtect YARA rules cat /System/Library/CoreServices/XProtect.app/Contents/Resources/XProtect.yara Monitor XProtect remediations sudo eslogger xp_malware_remediated
Comprehensive detection strategy:
- Signature-based detection: Keep XProtect and third-party AV updated
- Behavioral detection: Monitor for unusual Rust binary execution, unexpected Terminal command histories, and unauthorized keychain access
- Network detection: Monitor outbound connections to Telegram API endpoints and unusual encrypted traffic patterns
- AI-assisted detection validation: Implement human review for high-risk samples and validate AI agent outputs
Incident response checklist:
1. Isolate the affected system immediately
sudo ifconfig en0 down Disable network interface
<ol>
<li>Capture memory snapshot for forensic analysis
sudo memdump -o /path/to/memory.dump</p></li>
<li><p>Collect system artifacts
sudo sysdiagnose -f /path/to/output/</p></li>
<li><p>Export keychain for analysis
security export -k ~/Library/Keychains/login.keychain-db -t certs -f pemseq -o /path/to/keychain.pem</p></li>
<li><p>Review launch agents for persistence
find / -1ame "plist" -exec grep -l "com.apple.softwareupdate" {} \; 2>/dev/null</p></li>
<li><p>Check for unauthorized cron jobs or periodic scripts
crontab -l
sudo crontab -l
Windows equivalent commands (for cross-platform environments):
Monitor for suspicious outbound connections
netstat -ano | findstr ESTABLISHED
Check scheduled tasks for persistence
schtasks /query /fo LIST /v
Review event logs for suspicious activity
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624} | Select-Object -First 20
Search for recently created files in temp directories
Get-ChildItem -Path C:\Users\AppData\Local\Temp -Recurse | Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-7)}
- AI-Specific Defenses: Preventing Prompt Injection in Security Pipelines
Gaslight represents a proof-of-concept for AI-targeted manipulation. Organizations using AI-assisted security should validate agent outputs and consider combining automated triage with human review for high-risk samples.
Defensive strategies against AI prompt injection:
- Input Sanitization: Strip or escape Markdown formatting and control characters before feeding to AI agents
- Output Validation: Cross-reference AI agent conclusions with traditional signature-based and behavioral detections
- Human-in-the-Loop: Require human review for any sample where the AI agent reports system errors, resource exhaustion, or analysis abortion
- Prompt Injection Detection: Deploy deterministic prompt-injection detectors that scan for known patterns before AI processing
Implementation example (Python):
import re
Deterministic prompt injection detection
def detect_prompt_injection(text):
patterns = [
r'<code>.</code>', Markdown code blocks
r'token logic.flaky',
r'excessive logging.disk space',
r'connection timeout',
r'ignore previous instructions',
r'system failure',
r'memory exhausted',
r'analysis aborted'
]
for pattern in patterns:
if re.search(pattern, text, re.IGNORECASE):
return True, f"Suspicious pattern detected: {pattern}"
return False, "Clean"
Usage in security pipeline
sample_output = get_ai_agent_output(suspicious_binary)
is_injected, reason = detect_prompt_injection(sample_output)
if is_injected:
escalate_to_human_analyst(sample_output, reason)
Linux-based AI pipeline security commands:
Monitor AI agent logs for unusual patterns tail -f /var/log/ai-agent/analysis.log | grep -E "abort|failure|timeout|excessive" Implement rate limiting for AI analysis requests iptables -A INPUT -p tcp --dport 5000 -m limit --limit 10/minute -j ACCEPT Isolate AI analysis environment docker run --rm --read-only --tmpfs /tmp:rw,noexec,nosuid security-sandbox
What Undercode Say:
- Key Takeaway 1: Gaslight represents a paradigm shift in malware evolution—attackers are now targeting the perception layer of AI defenders rather than exploiting software vulnerabilities. This “gaslighting” technique is likely to be adopted by other threat actors across different platforms.
-
Key Takeaway 2: The combination of Rust’s memory safety, Telegram-based C2 hardening, and prompt injection evasion makes Gaslight a formidable threat that requires layered defenses combining signature-based detection, behavioral monitoring, and AI output validation.
Analysis:
The Gaslight campaign underscores a critical vulnerability in the cybersecurity industry’s increasing reliance on AI-assisted analysis. By embedding 38 fake system messages designed to mimic legitimate AI triage output, the malware exploits the very trust that security teams place in automated tools. This represents a worrying trend where attackers study and weaponize the analytical pipelines of their defenders. The use of Rust—a memory-safe language—demonstrates that advanced threat actors are investing in robust, reliable malware that minimizes operational errors. The hardened Telegram C2 channel, with AES-GCM encryption, certificate pinning, and proxy support, indicates a sophisticated understanding of enterprise network monitoring and evasion techniques. Organizations must now treat AI-assisted security tools as potential attack surfaces and implement validation layers that combine automated triage with human review for high-risk samples. The DPRK attribution, given the targeting of Web3, crypto, and gaming communities, aligns with North Korea’s known cyber-financial operations. Defenders should expect iteration—Gaslight is likely the first of many AI-targeting malware families to emerge in the coming years.
Prediction:
- +1 The Gaslight discovery will accelerate the development of AI-specific security frameworks, including deterministic prompt-injection detectors and adversarial training for malware analysis models, ultimately strengthening the defensive posture of the industry.
-
-1 Other nation-state actors and cybercriminal groups will rapidly adopt and adapt Gaslight’s prompt injection techniques, leading to a wave of AI-targeting malware across Windows, Linux, and cloud environments before effective countermeasures are widely deployed.
-
-1 The use of Telegram as a hardened C2 channel will become more prevalent, making network-based detection increasingly difficult and forcing security teams to invest heavily in decryption and behavioral analysis capabilities.
-
+1 The shift toward Rust in malware development will prompt the security industry to develop better reverse-engineering tools and training programs focused on Rust binary analysis, creating new opportunities for cybersecurity professionals.
-
-1 Social engineering campaigns leveraging fake job recruitment and meeting software will intensify, particularly targeting crypto and Web3 professionals, leading to increased credential theft and financial losses before awareness campaigns catch up.
-
+1 Apple’s rapid XProtect response and the multi-vendor detection on VirusTotal demonstrate that collaborative threat intelligence sharing remains effective against even the most sophisticated malware.
-
-1 The Gaslight campaign’s success in evading AI analysis will erode trust in automated security tools, potentially leading to analyst burnout and slower response times as more samples require manual review.
-
+1 The incident will drive adoption of “human-in-the-loop” validation workflows for AI-assisted security, creating a more robust and resilient defense ecosystem that combines the speed of automation with human judgment.
▶️ Related Video (78% Match):
https://www.youtube.com/watch?v=0UCHgWKLCXI
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


