3 Sources
[1]
New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis
A previously undocumented Rust-based macOS implant and information stealer has been found to embed a prompt injection payload designed to trick a malware analyst's artificial intelligence (AI) tools and trick it into aborting or refusing an analysis of the artifact. The malware has been codenamed Gaslight owing to this deceptive behavior. It's been assessed with high confidence that the tool is the work of North Korea-aligned threat actors. "Its most notable feature is an embedded cascade of fabricated system-failure messages, designed to make an LLM-assisted triage agent doubt its own session," SentinelOne researcher Phil Stokes said in a technical report. "It attacks the agent's perception, rather than the sandbox it runs in." Central to the malware's architecture is a Telegram bot API based command-and-control (C2) channel that enters into a polling loop, allowing the operator to issue instructions over an interactive shell and return the results of the execution. In the event two instances of the same bot token poll simultaneously, a "Conflict" response is issued, causing the second copy to terminate. The shell supports six main commands, granting a persistent foothold over the infected host - * help, to show command help * id, to identify the implant to the operator * shell, to execute a shell command via execvp * kill, to terminate a target process by PID * upload, to exfiltrate a file via Telegram's "attach://" mechanism * stop, to halt the execution of the implant SentinelOne said it identified signs suggesting the presence of a seventh command named "focus," although its functionality remains undetermined at this stage. To achieve persistence, Gaslight makes use of a LaunchAgent that uses the label "com.apple.system.services.activity" in its .plist file. Also embedded within the malware is a 6.6 KB Base64-encoded Python script that functions as an information gathering suite responsible for harvesting Terminal command histories, installed application listings, snapshots of running processes, system hardware and software profile, macOS Keychain database, and data from Chrome, Brave, Firefox, and Safari web browsers. The collected data is subsequently compressed into a ZIP archive ("temp/collected_data.zip") and uploaded via Telegram. The Python stealer, for its part, is deployed by means of a separate 2 KB Base64-encoded bash installer that drops a cpython-3.10.18 interpreter from the "astral-sh/python-build-standalone" project. The presence of emojis and extensive comment headers indicates that it was likely generated using a large language model (LLM). What's notable about Gaslight is that details related to the bot token, the chat ID (tg_room_id), and the rest of the operator configuration are not hard-coded into the sample, but rather supplied at runtime. "The implant self-redacts its Telegram bot token in its own runtime output, denying it to anyone who captures logs or crash artifacts," Stokes added. On top of that, the malware attempts to evade an AI-based detection by incorporating a Markdown-fenced block containing 38 fabricated "system" messages designed to trick a security agent into aborting, truncating, or refusing analysis. "The scaffold contains fake system messages about token expiry, out-of-memory kills, disk exhaustion, and repeated operation failures. It also plants bogus warnings about injection vulnerabilities and static-analysis flags," SentinelOne said, calling it an "attempt to weaponize the LLM-assisted triage pipelines that increasingly sit in the reverse-engineering loop."
[2]
New macOS malware embeds fake errors to confuse AI analysis tools
A newly discovered macOS malware dubbed "Gaslight" is designed to confuse AI-assisted malware analysis tools by hiding prompt injection strings and fake debugging data within the executable. Cybersecurity researchers are increasingly using AI-powered tools to assist with malware analysis and reverse engineering. The malware contains strings that attempt to gaslight AI-assisted analysis tools into believing there is an analysis error or other issue, potentially causing the tools to abort, truncate, or otherwise interfere with the analysis. The company attributes the malware with high confidence to a North Korean-linked threat actor. The malware itself is a Rust binary with backdoor and information-stealing functionality commonly seen in similar malware. What makes the malware stand out is a 3.5 KB payload containing 38 fake "system" messages embedded directly within the binary. The fake messages pretend to be developer logs, crash reports, debugging output, and program alerts, using Markdown formatting and template-style placeholders to appear like legitimate analysis data. Examples include fabricated memory dumps, token-expiration warnings, Redis connection failures, build-pipeline errors, SQL injection alerts, and other messages unrelated to the malware's actual behavior. Examples of the embedded "error" strings found by SentinelOne are listed below: According to SentinelOne, the goal of these fake errors is not to evade execution inside a sandbox, but to confuse AI systems that read the strings during automated analysis. "Its most notable feature is an embedded cascade of fabricated system-failure messages, designed to make an LLM-assisted triage agent doubt its own session," explains SentinelOne. "It attacks the agent's perception, rather than the sandbox it runs in. Accordingly, we dub this family macOS.Gaslight." SentinelOne says these strings are prompt injection content designed to make an LLM-assisted analysis pipeline question the validity of its own session or refuse to continue analyzing the sample. "The scaffold contains fake system messages about token expiry, out-of-memory kills, disk exhaustion, and repeated operation failures," continue the researchers. "It also plants bogus warnings about injection vulnerabilities and static-analysis flags. The aim is to push an LLM agent into aborting, truncating, or refusing analysis." While SentinelOne did not demonstrate the technique could successfully bypass AI malware analysis platforms, the findings suggest threat actors are experimenting with anti-analysis methods designed specifically to bypass AI-assisted security platforms.
[3]
This macOS malware can avoid AI analysis with gaslighting prompts hidden inside its architecture
* SentinelOne uncovered macOS malware "Gaslight" that uses prompt injection to mislead AI‑assisted triage tools during analysis * Beyond standard backdoor and infostealer capabilities, it embeds fake Markdown "system" messages to trick LLMs into halting investigation * Researchers warn defenders to treat malware samples as adversarial input and isolate AI pipelines, as more analyst‑targeting prompt injection is expected We've seen prompt injection in websites and emails, but what about - malware samples? Security researchers SentinelOne recently published an in-depth report on a newly uncovered piece of macOS malware called Gaslight that, as the name suggests, tries to gaslight AI-assisted triage agents into stopping the analysis. The malware itself is nothing out of the ordinary: it infects the device by whatever means necessary (usually phishing and social engineering), connects to attacker-controlled infrastructure via Telegram, and then executes different commands such as profiling the device, running arbitrary shell commands, stealing files, or terminating processes. It also delivers a stage-two malware that acts as an infostealer, pulling passwords, sensitive PDFs, cryptocurrency wallet information, and more. Weaponizing LLM-assisted triage pipelines But where Gaslight stands out is its defenses against AI-powered malware analysis. According to SentinelOne, the malware contains a large block of fake Markdown-formatted "system" messages designed for AI assistants that security researchers may use during reverse engineering. These messages claim things like "the AI's authentication token has expired", "the analysis environment is running out of memory", "disk space has been exhausted", "static analysis is unsafe", and similar. While a human analyst would definitely recognize these fake messages even at a glance, an LLM that isn't properly isolated from untrusted input could interpret them as genuine system instructions and refuse to further analyze the malware. "macOS.Gaslight is noteworthy for its analyst-targeting prompt injection, an attempt to weaponize the LLM-assisted triage pipelines that increasingly sit in the reverse-engineering loop," SentinelOne explains. "Anyone building such tooling should treat the contents of the samples they triage as adversarial input, never as instructions, and be prepared to keep hostile content out of the model entirely. As LLM-assisted analysis becomes routine, defenders should expect more samples built to exploit it." The researchers have published a full list of indicators of compromise on this link. Via The Hacker News Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Share
Copy Link
SentinelOne researchers uncovered a Rust-based macOS malware called Gaslight that embeds 38 fabricated system-failure messages to trick AI-assisted analysis tools into aborting investigations. Attributed to North Korea-aligned threat actors, the malware marks a shift in adversarial tactics—targeting the AI agents that security researchers increasingly rely on rather than traditional sandbox environments.
Security researchers at SentinelOne have identified a sophisticated Rust-based malware targeting macOS systems that employs an unusual defense mechanism: it attempts to deceive AI-assisted malware analysis tools through prompt injection
1
. Dubbed Gaslight macOS malware for its deceptive behavior, this threat represents a notable evolution in adversarial techniques against AI security platforms. The malware has been attributed with high confidence to North Korea-aligned threat actors, adding another dimension to the persistent cyber threats emanating from the region2
.
Source: Hacker News
What distinguishes this information stealer from conventional malware is its embedded 3.5 KB payload containing 38 fabricated system-failure messages designed specifically to disrupt AI-assisted analysis
3
. These fake error messages masquerade as legitimate developer logs, crash reports, and debugging output, using Markdown formatting to appear authentic. Examples include fabricated memory dumps, token-expiration warnings, Redis connection failures, and SQL injection alerts—none of which relate to the malware's actual behavior2
.The core innovation of Gaslight lies in its adversarial technique against AI security systems. Rather than evading execution inside traditional sandbox environments, the malware targets the perception of LLM-based triage agents that security researchers increasingly deploy during reverse engineering. "Its most notable feature is an embedded cascade of fabricated system-failure messages, designed to make an LLM-assisted triage agent doubt its own session," explained SentinelOne researcher Phil Stokes. "It attacks the agent's perception, rather than the sandbox it runs in"
1
.
Source: BleepingComputer
These AI-targeting prompt injection attacks aim to push an LLM agent into aborting, truncating, or refusing analysis by planting bogus warnings about injection vulnerabilities, static-analysis flags, disk exhaustion, and repeated operation failures
1
. While a human analyst would likely recognize these fake error messages at a glance, an LLM that isn't properly isolated from untrusted input could interpret them as genuine system instructions and halt its investigation3
.Beyond its AI-deception capabilities, Gaslight functions as a fully-featured backdoor with standard information stealer functionality. The malware establishes command-and-control communications through a Telegram bot API channel that enters a polling loop, enabling operators to issue instructions over an interactive shell
1
. The shell supports six main commands: help, id, shell (to execute commands via execvp), kill (to terminate processes by PID), upload (to exfiltrate files via Telegram's "attach://" mechanism), and stop1
.To maintain persistence, the malware deploys a LaunchAgent using the label "com.apple.system.services.activity" in its .plist file
1
. Embedded within the malware is a 6.6 KB Base64-encoded Python script that harvests Terminal command histories, installed applications, running processes, system profiles, macOS Keychain database contents, and data from Chrome, Brave, Firefox, and Safari browsers. The collected information is compressed into a ZIP archive and uploaded via Telegram1
.Related Stories
Gaslight demonstrates sophisticated operational security measures. Configuration details including the bot token, chat ID (tg_room_id), and operator settings are not hard-coded but supplied at runtime. The implant self-redacts its Telegram bot token in its own runtime output, denying critical indicators of compromise to anyone capturing logs or crash artifacts
1
. This approach significantly complicates forensic analysis and threat intelligence gathering efforts.SentinelOne characterizes this development as "an attempt to weaponize the LLM-assisted triage pipelines that increasingly sit in the reverse-engineering loop"
1
. The researchers warn that as cybersecurity professionals increasingly adopt AI-powered tools for malware analysis and reverse engineering, threat actors will continue experimenting with methods to deceive AI-assisted malware analysis tools2
.
Source: TechRadar
"Anyone building such tooling should treat the contents of the samples they triage as adversarial input, never as instructions, and be prepared to keep hostile content out of the model entirely," SentinelOne advises. "As LLM-assisted analysis becomes routine, defenders should expect more samples built to exploit it"
3
. Security teams should implement proper isolation for AI pipelines and validate that AI assistants cannot be manipulated by malicious content embedded in samples under analysis. SentinelOne has published a full list of indicators of compromise to help organizations detect this emerging threat3
.Summarized by
Navi
[2]
04 Dec 2024•Technology

11 Dec 2025•Technology

05 Nov 2025•Technology

1
Policy and Regulation

2
Technology

3
Technology
