A previously undocumented **Rust**-based **macOS** implant and information stealer has been discovered, featuring a unique prompt injection payload. This payload is specifically engineered to trick artificial intelligence (AI) tools used by malware analysts, causing them to abort or refuse analysis of the artifact. Codified as **Gaslight**, this malware earns its name from its deceptive behavior. Security researchers have attributed the tool with high confidence to North Korea-aligned threat actors. "Its most notable feature is an embedded cascade of fabricated system-failure messages, designed to make an LLM-assisted triage agent doubt its own session," stated **SentinelOne** researcher Phil Stokes in their technical report. "It attacks the agent's perception, rather than the sandbox it runs in."  ## Command and Control via Telegram Central to **Gaslight**'s architecture is a **Telegram** bot API-based command-and-control (C2) channel. This channel operates through a polling loop, enabling the operator to issue instructions via an interactive shell and receive execution results. A "Conflict" response is issued if two instances of the same bot token poll simultaneously, leading to the termination of the second copy. ## Persistent Foothold and Data Exfiltration ### Core Commands The shell supports six primary commands, establishing a persistent foothold on the infected host: * `help`: Displays command assistance. * `id`: Identifies the implant to the operator. * `shell`: Executes a shell command using `execvp`. * `kill`: Terminates a target process by its Process ID (PID). * `upload`: Exfiltrates a file via **Telegram**'s "attach://" mechanism. * `stop`: Halts the implant's execution. **SentinelOne** also noted signs of a seventh command, "focus," though its specific functionality remains unknown. ### Persistence Mechanism For persistence, **Gaslight** leverages a **LaunchAgent** that employs the label "com.apple.system.services.activity" within its `.plist` file. ## Information Gathering Capabilities Embedded within the malware is a 6.6 KB Base64-encoded **Python** script. This script acts as a comprehensive information-gathering suite, designed to harvest: * **Terminal** command histories * Installed application listings * Snapshots of running processes * System hardware and software profiles * **macOS Keychain** database * Data from **Chrome**, **Brave**, **Firefox**, and **Safari** web browsers The collected data is then compressed into a **ZIP** archive ("temp/collected_data.zip") and subsequently uploaded via **Telegram**. ### Python Stealer Deployment The **Python** stealer is deployed by a separate 2 KB Base64-encoded bash installer. This installer drops a `cpython-3.10.18` interpreter sourced from the "astral-sh/python-build-standalone" project. The presence of emojis and extensive comment headers within the script suggests it was likely generated using a large language model (LLM). ## Evasion Tactics: AI Poisoning and Self-Redaction What truly sets **Gaslight** apart is its sophisticated evasion strategy. Operator configuration details, including the bot token and chat ID (`tg_room_id`), are not hard-coded but supplied at runtime. "The implant self-redacts its **Telegram** bot token in its own runtime output, denying it to anyone who captures logs or crash artifacts," Stokes elaborated. Beyond this, the malware actively attempts to evade AI-based detection. It incorporates a Markdown-fenced block containing 38 fabricated "system" messages. These messages are designed to mislead a security agent into aborting, truncating, or refusing analysis. "The scaffold contains fake system messages about token expiry, out-of-memory kills, disk exhaustion, and repeated operation failures. It also plants bogus warnings about injection vulnerabilities and static-analysis flags," **SentinelOne** explained. They describe this as an "attempt to weaponize the LLM-assisted triage pipelines that increasingly sit in the reverse-engineering loop." This development highlights a growing trend where threat actors are not only targeting systems but also the very tools designed to analyze their malicious activities, pushing the boundaries of cybersecurity defense.