Malware has learned a new trick: manipulating the AI tools security researchers increasingly rely on to understand it.
SentinelOne researchers identified a previously undocumented macOS malware strain, dubbed macOS.Gaslight, that uses prompt injection to mislead large language models used in malware analysis. The malware also functions as a remote backdoor and infostealer, allowing attackers to control compromised Macs and exfiltrate data through Telegram-based command-and-control infrastructure.
The finding points to a new wrinkle in cyber defense: AI tools may help researchers move faster, but attackers are already experimenting with ways to poison what those tools see.
What makes macOS.Gaslight stand out?
Unlike traditional malware that hides from antivirus software or goes dormant in sandbox environments, this malware “plants bogus warnings about injection vulnerabilities and static-analysis flags. The aim is to push an LLM agent into aborting, truncating, or refusing analysis,” the researchers noted.
Hidden within macOS.Gaslight is 38 fabricated messages, including debugging logs, crash reports, and system errors, that the malware uses to pull such tricks.
For instance, a security researcher could ask an AI malware analyzer to scan a file and explain what it does. While reading the code, the AI will encounter those embedded fake prompts. Mistaking those messages for genuine instructions or safety alerts, the AI may simply output any of the messages.
That technique, combined with the malware’s macOS-specific nature, inspired its name. The researchers also linked the malware to North Korean threat actors.
Two sides of macOS.Gaslight
The Rust-based implant doubles as a remote backdoor and an infostealer, allowing attackers to execute shell commands, upload files, terminate processes, and collect data from compromised systems.
An embedded Base64-encoded Python script allows the collection of browser data, Terminal history, hardware and software information, and credentials stored in the macOS Keychain. The stolen information is packaged into a ZIP archive before being exfiltrated.
To maintain persistence, macOS.Gaslight creates a LaunchAgent (com.apple.system.services.activity) that mimics a legitimate Apple service, allowing it to run automatically after a reboot. The malware also uses Telegram as a C2 server via Telegram’s Bot API, potentially to avoid detection by communicating through Telegram’s legitimate infrastructure.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Questions remain as researchers track the new malware
Despite extensive analysis, SentinelOne did not name any initial access mechanism, leaving open the question of whether attackers distribute the malware through phishing, trojanized software, or another method. TechRadar says that the malware infects devices by whatever means necessary, but still cites phishing.
That uncertainty, combined with the malware’s low profile, suggests the campaign may still be in its early stages. At the time of SentinelOne’s investigation, none of the submitted samples were detected by security vendors on VirusTotal, indicating the malware had not yet been widely recognized by the security community.
The findings also reinforce the idea that AI-assisted malware analysis should complement, rather than replace, traditional human reverse engineering.
For Mac users who are the primary victims of this, continued adherence to established security practices should be a priority while researchers continue to learn more about the malware.
Also read: Google’s Chrome 149 security update fixes 18 browser vulnerabilities, including critical flaws in WebGL, Autofill, and Blink, highlighting the importance of keeping browsers up to date to reduce exposure to active exploits.