SentinelOne researchers have disclosed details of a previously undocumented macOS malware family named Gaslight that combines information stealing capabilities with prompt injection techniques aimed at disrupting artificial intelligence assisted malware analysis. The malware, which is written in the Rust programming language, has been assessed with high confidence as the work of North Korea aligned threat actors. Unlike conventional malware that focuses only on avoiding detection by security software, Gaslight attempts to manipulate AI powered analysis tools by embedding deceptive instructions that encourage automated investigation systems to terminate or refuse further examination of the malware sample. SentinelOne researcher Phil Stokes explained that the malware contains a carefully crafted collection of fabricated system failure messages designed to undermine the confidence of large language model based security assistants during malware triage. Instead of targeting the analysis environment itself, the malware attempts to influence the reasoning process of AI tools, creating false indications of technical failures such as expired authentication tokens, memory shortages, storage exhaustion, repeated processing errors, and fabricated warnings about injection attacks or static analysis issues. Researchers said this represents an attempt to interfere directly with AI assisted reverse engineering workflows that are increasingly being adopted by cybersecurity teams.
At the core of Gaslight is a command and control infrastructure built around the Telegram Bot API, allowing operators to remotely manage infected systems through an interactive shell. Once installed, the malware continuously polls Telegram for incoming commands and returns execution results to the operator. Researchers found that if two malware instances using the same bot token attempt to communicate simultaneously, Telegram returns a conflict response that causes the second copy to terminate automatically. SentinelOne identified six confirmed commands supported by the malware, enabling attackers to display help information, identify the implant, execute shell commands, terminate selected processes using process identifiers, upload files through Telegram’s attachment mechanism, and stop malware execution. Researchers also discovered evidence of a seventh command named “focus,” although its exact functionality has not yet been determined. To maintain long term persistence on compromised devices, Gaslight installs a LaunchAgent configured with the label “com.apple.system.services.activity,” allowing the malware to execute automatically each time the affected macOS system starts. Another notable design feature is that sensitive operational details such as Telegram bot tokens, chat identifiers, and additional operator configuration values are not permanently embedded within the malware. Instead, these values are supplied during runtime, while the malware also conceals its Telegram bot token from runtime output to prevent investigators from recovering command and control information through captured logs or crash reports.
Gaslight also includes an extensive information stealing component embedded as a 6.6 KB Base64 encoded Python script responsible for gathering a wide range of sensitive information from infected systems. The script collects Terminal command histories, lists of installed applications, running process information, hardware and software profiles, macOS Keychain databases, and browser data from Google Chrome, Brave, Firefox, and Safari. After collecting the information, the malware compresses the data into a ZIP archive named collected_data.zip before transmitting it to operators through Telegram. Deployment of the Python based information stealer is handled through a separate 2 KB Base64 encoded Bash installer that installs a standalone CPython 3.10.18 interpreter obtained from the python build standalone project. SentinelOne observed that the installer contains extensive comment headers and emoji usage, characteristics suggesting it may have been generated with assistance from a large language model. Researchers noted that this combination of Rust, Python, Bash scripting, and Telegram based infrastructure provides attackers with both operational flexibility and a comprehensive method for collecting valuable information from compromised Apple systems.
Researchers believe the malware’s most distinctive capability is its attempt to interfere directly with AI based security investigations through prompt injection. Embedded within the malware is a Markdown formatted block containing 38 fabricated system messages specifically designed to influence AI powered analysis platforms into abandoning or limiting their examination of the sample. These false messages simulate conditions including expired tokens, failed operations, insufficient memory, storage limitations, and repeated internal errors while also presenting misleading warnings about analysis reliability. According to SentinelOne, the objective is not to bypass traditional security controls but to exploit the increasing use of AI within malware analysis pipelines by manipulating automated reasoning systems before analysts receive investigation results. The findings demonstrate how threat actors are beginning to adapt their techniques to account for artificial intelligence being integrated into modern cybersecurity operations, introducing a new category of defensive challenges where both malware functionality and deceptive AI focused content become part of an attacker’s overall strategy.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
