macOSGaslight: The Rust Backdoor That’s Gaslighting AI Malware Analysts with Prompt Injection + Video

By /

Listen to this Post

Featured Image

Introduction

A newly discovered macOS malware family, tracked as macOS.Gaslight, has introduced a paradigm shift in evasion tradecraft by weaponizing prompt injection not against sandboxes, but against the very AI tools security analysts rely on for triage. Discovered in early June 2025 after an Apple XProtect update surfaced a Mach-O sample uploaded to VirusTotal on May 22, this Rust-based backdoor and infostealer embeds a 3.5 KB payload of 38 fabricated “system” messages designed to trick LLM-assisted analysis pipelines into aborting or refusing examination. Attributed with high confidence to DPRK-aligned threat actors and linked to the BONZAI signature family, macOS.Gaslight represents a dangerous evolution in how adversaries can actively deceive the investigative process itself.

Learning Objectives

  • Understand the mechanics of prompt injection as an anti-analysis technique targeting LLM-assisted malware triage tools
  • Analyze the technical architecture of the Gaslight backdoor, including its Telegram-based C2, AES-GCM encryption, and certificate pinning
  • Learn to identify, detect, and respond to this emerging threat through practical detection strategies and forensic analysis

You Should Know

  1. The Prompt Injection Payload: How Gaslight Gaslights the Analyst

At the heart of macOS.Gaslight lies a 3.5 KB Markdown-fenced blob containing 38 fabricated system messages, specifically delimited by `{{DATA}}` tokens. This structure is deliberately designed to mimic the prompt scaffold of an LLM triage harness. When an AI-assisted analysis tool processes the binary, it encounters a cascade of fake warnings about:

  • Token expiry and session timeouts
  • Out-of-memory kills and resource exhaustion
  • Disk space depletion
  • Repeated operation failures
  • Simulated injection vulnerabilities

The goal is simple yet devastating: make the LLM-assisted agent doubt its own session and abort, truncate, or refuse analysis. This is not sandbox evasion—it is analyst deception. As SentinelOne researcher Phil Stokes noted, “It attacks the agent’s perception, rather than the sandbox it runs in”.

Step‑by‑step analysis of the prompt injection mechanism:

  1. Extract the payload: The prompt-injection data is embedded within the binary as a static blob. Analysts can use `strings` or `xxd` on the sample to locate the Markdown-fenced block.
  2. Identify the delimiter: The payload uses `{{DATA}}` tokens to demarcate the fabricated system messages.
  3. Analyze the content: The 38 messages are crafted to resemble legitimate system alerts that would trigger an LLM to halt processing.
  4. Understand the intent: The messages are not targeting macOS itself—they are targeting the analysis pipeline.

Linux/macOS command to inspect the payload:

 Extract strings and grep for the prompt injection delimiter
strings -1 8 /path/to/sample | grep -A 50 "{{DATA}}"

Alternatively, use xxd to view the raw hex around the payload
xxd /path/to/sample | grep -B 5 -A 5 "7b7b444154417d7d"  Hex for {{DATA}}

2. Command-and-Control via Telegram Bot API

The implant’s C2 channel operates over a Telegram Bot API `getUpdates` polling loop. The polling branch executes only when no webhook is registered, and the dispatch handler keys on three Telegram error codes: BotBlocked, InvalidToken, and Conflict.

The `Conflict` response is particularly clever: Telegram issues this when two instances of the same bot token poll simultaneously. Gaslight treats this as an implicit single-instance lock—a second copy detects the conflict and terminates. This prevents multiple infections from competing for the same C2 channel.

Once the bot token validates and polling is active, the operator can task the implant through six main commands:

| Command | Function |

||-|

| `help` | Show command help |

| `id` | Identify the implant to the operator |
| `shell` | Execute a shell command via `execvp` |
| `kill` | Terminate a target process by PID |
| `upload` | Exfiltrate a file via Telegram’s `attach://` mechanism |

| `stop` | Halt execution |

A seventh command named `focus` has been identified but its functionality remains undetermined.

Step‑by‑step C2 analysis:

  1. Monitor network traffic: Look for outbound connections to `api.telegram.org` on port 443.
  2. Inspect TLS certificates: The implant uses certificate pinning, so standard proxy inspection will fail.
  3. Check for polling patterns: Frequent `getUpdates` requests with a bot token in the URL parameter.
  4. Extract the bot token: The token is supplied at runtime, not hard-coded. However, the implant self-redacts its token from runtime output, denying it to anyone who captures logs or crash artifacts.

Command to detect Telegram C2 traffic (Linux/macOS):

 Monitor outgoing connections to Telegram API
sudo lsof -i -1 -P | grep -E "api.telegram.org|149.154.167"

Or use tcpdump to capture TLS handshakes to Telegram IP ranges
sudo tcpdump -i en0 -1 "host 149.154.167.0/24 or host 149.154.175.0/24"

Windows equivalent (using PowerShell):

 Monitor established connections to Telegram
Get-1etTCPConnection | Where-Object {$_.RemoteAddress -match "149.154.167|149.154.175"}

3. Transport Hardening: AES-GCM Over Pinned TLS

All C2 payloads are encrypted with AES-GCM, implemented using the pure-Rust `aes-gcm` 0.10.3 crate. A fresh nonce is generated per message via CCRandomGenerateBytes. The AES key is supplied at runtime through the `aes_key` field in the operator config rather than being embedded in the sample.

On top of payload encryption, the implant configures a custom certificate trust anchor and calls SecTrustSetAnchorCertificatesOnly, restricting TLS trust evaluation to that anchor alone. This certificate pinning rejects connections intercepted by a standard proxy CA, frustrating network-level inspection. The implant also honors the host’s proxy settings, reading the active system proxy configuration via SCDynamicStoreCopyProxies.

Detection strategies:

  • Network: Look for TLS handshakes with non-standard certificate chains or unusual SNI values.
  • Endpoint: Monitor for processes calling SecTrustSetAnchorCertificatesOnly—this is a strong indicator of certificate pinning.
  • Memory forensics: Dump process memory and search for AES keys or the Telegram bot token before self-redaction occurs.

Command to monitor for certificate pinning on macOS:

 Monitor for security framework calls
sudo dtrace -1 'syscall::SecTrust:entry { printf("%s\n", probefunc); }'

4. Persistence and Masquerading

Persistence is achieved through a LaunchAgent with the label com.apple.system.services.activity. The `.plist` file is placed in `~/Library/LaunchAgents/` or /Library/LaunchAgents/, masquerading within Apple’s `com.apple.` namespace—a tactic widely used in macOS malware, including previous DPRK-linked families.

The implant also prevents host sleep, ensuring the backdoor can keep its C2 polling alive even during periods of user inactivity.

Detection commands:

 List all LaunchAgents with suspicious labels
launchctl list | grep -E "com.apple.system"

Check plist files for the specific label
find ~/Library/LaunchAgents /Library/LaunchAgents -1ame ".plist" -exec grep -l "com.apple.system.services.activity" {} \;

Examine the plist content
plutil -p /path/to/com.apple.system.services.activity.plist

Windows (if similar persistence mechanisms are observed in cross-platform variants):

 Check for scheduled tasks or registry run keys
Get-ScheduledTask | Where-Object {$_.TaskName -like "apple"}
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

5. The Python Stealer and Data Exfiltration

Embedded within the malware is a 6.6 KB Base64-encoded Python script that functions as an information-gathering suite. This script harvests:

  • Terminal command histories
  • Installed application listings
  • Snapshots of running processes
  • System hardware and software profiles
  • macOS Keychain database (MITRE ATT&CK T1555.001)
  • Browser data from Chrome, Brave, Firefox, and Safari

The Python stealer is deployed via a separate 2 KB Base64-encoded bash installer that drops a `cpython-3.10.18` interpreter from the `astral-sh/python-build-standalone` project. The collected data is compressed into a ZIP archive (temp/collected_data.zip) and uploaded via Telegram.

Notably, the presence of emojis and extensive comment headers indicates that the Python script was likely generated using a large language model (LLM)—a dark irony given the malware’s primary anti-analysis technique.

Detection and forensic commands:

 Search for the Python stealer script in memory or disk
grep -r "astral-sh/python-build-standalone" /tmp/ /var/tmp/ ~/Library/

Look for the collected_data.zip artifact
find / -1ame "collected_data.zip" 2>/dev/null

Monitor for unexpected Python interpreter executions
ps aux | grep -E "python.cpython|python3.10"

Windows (for cross-platform awareness):

 Search for Python interpreters not in standard locations
Get-Process python | Where-Object {$<em>.Path -1otlike "C:\Python" -and $</em>.Path -1otlike "C:\Program Files\Python"}

6. Evasion and Anti-Analysis Techniques

Gaslight employs multiple layers of evasion beyond prompt injection:

  • Dynamic API resolution: Resolves API calls at runtime via dlsym, steering clear of static symbol tables.
  • Self-redaction: Strips the Telegram bot token from its own runtime output, preventing recovery from crash artifacts or memory dumps.
  • Ad hoc signing: The binary is ad hoc signed and remains undetected by static engines on VirusTotal.
  • Runtime configuration: The bot token, chat ID, AES key, and operator config are supplied at runtime, not hard-coded.

What Undercode Say:

  • Key Takeaway 1: macOS.Gaslight represents a fundamental shift from sandbox evasion to analyst deception. By targeting the AI triage pipeline itself, attackers have found a way to make the analysis tools—not just the target environment—the weak link in the defense chain.
  • Key Takeaway 2: The use of Telegram Bot API as C2, combined with AES-GCM encryption and certificate pinning, demonstrates a mature, well-engineered threat that prioritizes operational security and persistence over simplicity.

Analysis:

The emergence of macOS.Gaslight signals a new arms race in cybersecurity: one where adversaries actively manipulate the very tools defenders use to analyze threats. The prompt injection technique is particularly insidious because it exploits a fundamental trust assumption—that analysis tools will faithfully report what they find. By poisoning that trust, Gaslight can cause AI-assisted triage to fail silently, leaving the malware undetected in environments that rely heavily on automated analysis.

The DPRK attribution adds geopolitical weight to the threat. North Korean threat actors have consistently demonstrated sophistication in macOS malware development, and Gaslight is no exception. The combination of infostealer functionality, persistent C2, and AI-targeted evasion suggests a strategic investment in macOS compromise capabilities.

For defenders, the lesson is clear: AI-assisted analysis tools must be designed with adversarial inputs in mind. Prompt injection is not just a theoretical concern—it is a live threat being exploited in the wild. Organizations should implement validation layers that sanitize or inspect inputs before they reach LLM pipelines, and human analysts should be trained to recognize when AI tools may be compromised.

Prediction:

  • +1 The disclosure of macOS.Gaslight will accelerate research into adversarial robustness for LLM-assisted security tools, leading to more resilient analysis pipelines within 12–18 months.
  • -1 The success of this technique will inspire copycat implementations across other platforms (Windows, Linux) and other threat actors, expanding the attack surface beyond macOS.
  • -1 As AI-assisted analysis becomes more prevalent in SOCs, prompt injection will become a standard component of advanced malware toolkits, forcing a costly retooling of defensive AI systems.
  • +1 Increased awareness will drive demand for LLM input sanitization and monitoring solutions, creating new opportunities in the AI security market.
  • -1 Organizations that rely heavily on automated AI triage without human oversight will face elevated risk of undetected compromises in the short term.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Varshu25 Macosgaslight – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: