preloader

· cybersecurity malware macos ai prompt-injection north-korea digital-security

Gaslight: The North Korean macOS Backdoor Designed to Confuse AI Security Tools

Source: The Hacker News / TechRadar / CyberPress / TechTimes / SentinelOne

Security researchers at SentinelOne published analysis on 25 June 2026 of a new macOS backdoor they have named Gaslight, attributed to threat actors aligned with North Korea. The malware performs traditional espionage functions including credential theft and remote command execution via a Telegram bot-based command-and-control channel. What distinguishes it analytically is a second objective: deliberately interfering with the AI-assisted tools that security analysts now use to triage and investigate suspicious files.

What Gaslight does on an infected system

Gaslight is written in Rust, a language increasingly favoured by advanced threat actors because it produces compact binaries that are harder to reverse-engineer than code compiled from more familiar languages. The malware establishes its command-and-control channel through the Telegram Bot API, allowing operators to issue shell commands and collect output through a widely-used messaging platform that is rarely blocked at the network perimeter.

Capabilities documented by SentinelOne include interactive shell access, system information gathering, and retrieval and execution of additional payloads delivered through the Telegram channel. On those dimensions alone, Gaslight behaves like a conventional remote access tool targeting macOS environments.

The prompt injection layer

The feature that distinguishes Gaslight from other macOS malware is an embedded Markdown-formatted block containing 38 fabricated system messages, placed inside the binary with the explicit intent of misleading large language model (LLM) based malware analysis tools.

These fake messages are not displayed to the victim or executed in any conventional sense. They are embedded within the malware’s binary so that when an AI-assisted triage tool reads and analyses the file, the injected text manipulates the AI’s output rather than the underlying system. The 38 fabricated messages include false reports of token expiry, memory overflow conditions, disk space depletion, injection vulnerabilities already flagged, and static analysis completion signals. The intended effect is to cause an AI analyst tool to prematurely conclude that investigation is complete or that the file is already handled, short-circuiting deeper analysis.

Does it currently work?

SentinelLABS tested the prompt injection payload against current production AI malware analysis platforms and found that it did not successfully bypass any of them. The technique was detected or ignored.

That result should not be mistaken for reassurance. Earlier North Korean macOS malware samples contained a single injected message block pursuing the same goal. Gaslight embeds 38. The scale of the injection attempt, combined with the well-documented pattern of North Korean cyber groups iterating on techniques based on operational feedback, indicates that the threat actors behind Gaslight are actively testing against live AI security tooling and refining based on what they observe.

What failed today as version 3 or 4 of this approach may succeed as version 7 or 8. The gap between the current failure and future success is the time available to improve defences.

Why this matters for organisations using AI security tooling

Many enterprise security teams now incorporate AI-assisted analysis into their malware triage workflows. Endpoint detection platforms increasingly use LLM-based components for alert summarisation, threat classification, and analyst prioritisation. Gaslight is the first publicly documented case where adversaries have deployed a malware sample with the explicit goal of manipulating those AI components, not merely evading traditional detection.

The distinction is important. Traditional evasion techniques attempt to make malware invisible. Prompt injection attacks attempt to manipulate the conclusions a tool reaches after it reads the malware. An AI analysis tool that reads Gaslight and returns an assessment shaped by the injected text is not failing to detect the file. It is being actively deceived about what it found.

For security teams that have integrated AI tooling into their investigation workflows, the question raised by Gaslight is not whether their tools detected this particular sample. The question is whether the AI components they rely on could be manipulated by adversarial text embedded in analysed files, and whether any verification layer exists to catch AI analysis that has been influenced in this way.

The macOS threat landscape

macOS has historically been treated as a lower-risk platform in enterprise security planning, particularly compared to Windows. That perception is increasingly misaligned with reality. North Korean threat actors have developed a sustained and documented capability targeting macOS environments, with campaigns targeting cryptocurrency platforms, research institutions, and technology firms operating across Europe and globally.

The focus on macOS reflects where high-value targets operate. Developers, security researchers, and executives at technology and financial firms frequently use macOS as their primary environment. A compromised developer machine can provide access to source code repositories, cloud platform credentials, code signing keys, and internal tooling that represents some of the most sensitive assets in an organisation.

Steps for security teams

Verify that macOS endpoints in your environment are covered by endpoint detection and response tooling with active agents reporting. Review whether your malware analysis pipeline incorporates AI-assisted triage components, and if so, whether the vendor of that tooling has assessed or addressed the prompt injection risk Gaslight demonstrates.

AI analysis tools that process potentially adversarial files should be treated with the same scrutiny applied to any system that handles untrusted input. The output of an AI tool that has processed a file containing injected instructions should be treated as potentially influenced rather than authoritative.

If your organisation relies on macOS in developer or executive environments, uses AI-assisted tools in your security operations workflow, or wants to understand your current exposure to North Korean threat actor techniques targeting your platforms, contact Excello Digital. We help organisations identify where their security tooling introduces dependencies that adversaries are actively learning to exploit.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!