← Back to feed

macOS.Gaslight: DPRK-Aligned Rust Backdoor Uses Prompt Injection Against LLM-Assisted Malware Triage

Date: 2026-07-03
Tags: apt, malware, prompt-injection

Executive Summary

SentinelLABS analyzed macOS.Gaslight, a Rust-based macOS implant that combines Telegram Bot API command-and-control, AES-GCM encrypted payloads, certificate-pinned TLS, interactive shell access, and browser/keychain collection. The implant embeds a 3.5 KB prompt-injection payload composed of fabricated system messages intended to derail LLM-assisted malware triage. SentinelLABS assesses with high confidence that macOS.Gaslight belongs to a DPRK-aligned macOS activity cluster.

Campaign Summary

FieldDetail
Campaign / MalwaremacOS.Gaslight
AttributionDPRK-aligned macOS activity (SentinelLABS high confidence)
TargetmacOS systems; analysts and automated triage pipelines using LLM-assisted malware analysis
VectorRust Mach-O implant with Telegram Bot API C2 and embedded prompt-injection content
Statusactive
First Observed2026-05-22

Detailed Findings

macOS.Gaslight is an ad hoc signed Mach-O implant written in Rust. Apple XProtect identified the sample through the MACOS_BONZAI_COBUCH rule after a VirusTotal upload on May 22, 2026. SentinelLABS links the implant to DPRK-aligned macOS activity through the BONZAI signature family and related AIRPIPE/BONZAI samples.

The implant uses Telegram Bot API getUpdates polling for C2. It treats Telegram Conflict responses as a single-instance lock, encrypts payloads with AES-GCM, and pins TLS through a custom trust anchor. The runtime configuration supplies Telegram room ID, bot token material, AES key, upload URLs, persistence names, payload paths, and platform-specific options. The binary self-redacts the Telegram bot token in its own runtime output, limiting token recovery from logs or crash artifacts.

Operator functionality includes help, id, shell, kill, upload, and stop, with evidence of a possible focus command. The implant creates a power-management assertion to prevent system sleep and maintain long-running polling. Its embedded Python collection module targets Chrome, Brave, Firefox, Safari, Terminal histories, installed application inventory, running process lists, system profile output, and a raw copy of login.keychain-db, then stages collection as temp/collected_data.zip for Telegram upload.

The LLM-specific feature is defensive evasion against analysis workflows, not a sandbox escape. The implant carries fabricated "system" messages designed to convince an LLM-assisted triage process that the session is invalid, unsafe, or must be aborted. This positions prompt injection as an anti-analysis layer for malware families expected to be reviewed by AI-assisted analyst tooling.

MITRE ATT&CK Mapping

TechniqueIDContext
Command and Scripting Interpreter: Unix ShellT1059.004Interactive shell command execution through the implant
Command and Scripting Interpreter: PythonT1059.006Embedded Python collection module executed by the implant
Create or Modify System Process: Launch AgentT1543.001Runtime config includes macOS persistence fields
Data from Local SystemT1005Browser data, Terminal histories, system profile, process list, and application inventory collection
Credentials from Password StoresT1555Collection includes raw login.keychain-db copy
Application Layer Protocol: Web ProtocolsT1071.001Telegram Bot API C2 over HTTPS
Encrypted ChannelT1573AES-GCM payload encryption and pinned TLS
Obfuscated Files or InformationT1027Embedded prompt-injection content attempts to mislead LLM-assisted analysis

IOCs

Domains

_No specific malicious domains published. C2 uses Telegram Bot API infrastructure with operator-supplied bot configuration._

Full URL Paths

_No specific malicious URL path IOCs published._

Splunk Format

_No domain or URL IOCs available for Splunk query_

File Hashes

SHA256

6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525
77b4fd46994992f0e57302cfe76ed23c0d90101381d2b89fc2ddf5c4536e77ca
baabf249c77bc54c54ab0e66e15af798bd28aa5b4683554456a8b73ab8741239
b3c56d689414343589f38394d19ba2fe9a518133281200faa0556ba4e4136394

Affected Platforms

macOS
LLM-assisted malware triage workflows

Detection Recommendations

Block or alert on the SHA256 values above. Hunt for ad hoc signed Rust Mach-O binaries with the identifier endpoint-macos-aarch64-5555494492fc075f441637fb9d894913dde3a2ea. Monitor macOS processes that create IOPMAssertionCreateWithName assertions while polling Telegram Bot API endpoints. Alert on unsigned or ad hoc signed binaries reading browser profile data, Terminal history files, system_profiler output, process lists, and login.keychain-db in the same execution window. Inspect suspicious macOS malware samples for embedded prompt-injection strings that claim the analysis session is invalid, unsafe, or must be terminated.

References