Gaslight macOS Malware: The Rust Implant That Tricks AI

Content Summary

Gaslight macOS malware does not attack your system the way most malware does. It attacks the analyst trying to reverse-engineer it. That single distinction makes this North Korea-linked implant one of the most tactically interesting pieces of macOS malware documented in 2026.

SentinelOne researcher Phil Stokes published the technical breakdown on June 23, 2026, and the finding turned heads fast. Not because the data theft was exotic, and not because Telegram-based command and control is new. What made people stop scrolling was this: the malware contains a cascade of 38 fabricated system-failure messages specifically designed to make an AI-assisted triage tool believe its own analysis session is broken. Before a human analyst even opens the binary, the malware has already tried to poison the AI assistant sitting in the reverse-engineering loop.

That is the defining behavior. That is why SentinelOne named it Gaslight.

What is Gaslight Malware and Who is Behind It

Gaslight is a macOS implant and infostealer written in Rust. Its most notable feature is an embedded cascade of fabricated system-failure messages, designed to make an LLM-assisted triage agent doubt its own session.

The malware has been assessed with high confidence as the work of North Korea-aligned threat actors. It attacks the analyst's perception, rather than the sandbox it runs in.

Apple's built-in XProtect detects the sample under the signature rule MACOS_BONZAI_COBUCH, and SentinelOne associates the BONZAI signature family with North Korean threat activity. A sibling BONZAI sample was also flagged by Apple's AIRPIPE rule, further reinforcing the connection to North Korean threat activity.

North Korea's DPRK-aligned threat actors have been targeting macOS systems consistently since at least 2023. You can trace a clear line from RustBucket in 2023, to KandyKorn targeting blockchain engineers, to ObjCShellz, and now to Gaslight. SentinelOne attributed prior campaigns with high confidence to BlueNoroff, which has been previously linked to malware families such as RustBucket, KANDYKORN, ObjCShellz, RustDoor, and TodoSwift.

Why macOS? Because macOS dominates the crypto, Web3, and DeFi development world, and those communities are the primary financial targets for North Korean state-sponsored hackers. macOS users have historically been under-protected compared to enterprise Windows environments, and endpoint security tooling for Apple systems has only recently started catching up.

Why Rust? Because Rust binaries are harder for legacy antivirus scanners to classify. The Rust standard library produces unfamiliar signatures. Memory management in Rust leaves fewer crash artifacts. Binary stripping is cleaner. And cross-compilation is far easier, which matters when you are a threat actor building for both Intel and Apple Silicon Macs.

The Architecture: Three Layers Inside One Binary

One of the smartest things about Gaslight is how much it packs into a single persistent Rust binary. It is not a dropper that downloads a second stage from some sketchy domain. Everything it needs is embedded.

The architecture has three distinct layers working together.

Layer 1 is the Rust core implant. This handles command and control, the Telegram polling loop, shell command execution, and the overall orchestration of the implant. This is the persistent piece that survives reboots.

Layer 2 is a 6.6 KB Base64-encoded Python script. This functions as an information gathering suite responsible for harvesting Terminal command histories, installed application listings, snapshots of running processes, system hardware and software profile, macOS Keychain database, and data from Chrome, Brave, Firefox, and Safari web browsers.

Layer 3 is a 2 KB Base64-encoded bash installer. This is deployed by means of a separate 2 KB Base64-encoded bash installer that drops a cpython-3.10.18 interpreter from the astral-sh/python-build-standalone project.

That last detail matters a lot. By shipping its own standalone Python interpreter, Gaslight does not care whether the victim has Python installed or what version they are running. The stealer will execute regardless.

Runtime Configuration, No Hardcoded Secrets

Here is something that makes detection harder. The Telegram bot token, chat ID, and all operator-side configuration are not baked into the binary. They are supplied at runtime. Static analysis of the binary alone will not hand you the C2 credentials.

It goes further than that. The implant self-redacts its Telegram bot token in its own runtime output, actively denying it to anyone who captures logs or crash artifacts. The operator can rotate the token without recompiling anything. That is a deliberate OPSEC decision that shows a mature, professional threat actor.

Telegram C2: Why It Works So Well

Central to the malware's architecture is a Telegram Bot API based command-and-control channel that enters into a polling loop, allowing the operator to issue instructions over an interactive shell and return the results of the execution.

Think about it from the threat actor's perspective. Telegram bot API traffic goes over HTTPS. It blends perfectly with legitimate TLS traffic at the network level. Blocking api.telegram.org would break Telegram for every employee at the target organization. There is no custom attacker infrastructure to burn, no C2 domain to register, no server to spin up and expose. The entire relay runs on Telegram's own servers.

To secure transit, all payloads are encrypted with AES-GCM, and the malware employs custom certificate pinning to prevent network-level inspection. It also honors host proxy settings, ensuring the malicious connection remains active even in tightly managed enterprise environments.

The Six Commands the Operator Has

There is also a seventh. SentinelOne identified signs suggesting the presence of a seventh command named "focus," although its functionality remains undetermined at this stage. Researchers have speculated it could involve screen capture, webcam activation, or targeting a specific application window. We do not know yet.

Anti-Duplication Built In

In the event two instances of the same bot token poll simultaneously, a "Conflict" response is issued, causing the second copy to terminate. This is a clean, simple way to enforce single-instance operation without any complex process-locking logic.

File exfiltration works through Telegram's attach:// URI scheme. Stolen data goes out as a Telegram bot file upload. No FTP, no HTTP POST to attacker infrastructure, no separate channel. Everything flows through Telegram.

LaunchAgent Persistence: Hiding in Plain Sight

The implant uses a LaunchAgent with the label com.apple.system.services.activity. Masquerading within Apple's com.apple.* namespace is a tactic widely used in many macOS malware families, including those previously tied to DPRK-linked activities.

For anyone who has done macOS incident response, you know how many LaunchAgent plists exist on a typical Mac. Hundreds. Most of them genuinely start with com.apple. So when you see com.apple.system.services.activity in a list, the instinct is to scroll past it.

That instinct is exactly what this malware is counting on.

In order to write a valid absolute path to itself into the plist's ProgramArguments array, the implant resolves its own executable location at runtime via __NSGetExecutablePath.

From a detection standpoint, the way to catch this is to look for LaunchAgent labels that start with com.apple. but do not correspond to any real Apple service. A quick launchctl list in the terminal, piped through grep and cross-referenced against Apple's known service names, will surface suspicious entries fast.

This connects directly to your endpoint security posture. If your endpoint protection does not watch LaunchAgent directories for new plist writes and validate labels against a whitelist of legitimate Apple services, you have a blind spot.

The Python Stealer: What Gets Stolen

The Python stealer is the operational payload, the part that actually does the intelligence collection. And the collection scope is broad.

Terminal command history from both .bash_history and .zsh_history. This reveals every command the user has run, servers they have accessed, tools they have used, credentials they may have typed in plaintext at the prompt.

Installed applications listing. This tells the operator what security tools, development tools, and business applications are on the machine.

Running process snapshot. A picture of every process active at the moment of infection. This surfaces EDR agents, antivirus tools, monitoring software, and anything the operator might need to work around.

System hardware and software profile. OS version, hardware model, serial number, network interfaces. Full fingerprint of the target machine.

macOS Keychain database. This is the crown jewel. The Keychain stores saved passwords, Wi-Fi credentials, certificates, private keys, and application secrets. Stealing the Keychain database is mapped to MITRE ATT&CK T1555.001 and represents potentially years of accumulated credentials in a single file.

Browser data from Chrome, Brave, Firefox, and Safari. Cookies, saved passwords, browsing history, and potentially active session tokens.

This is worth pausing on. Chrome and Brave encrypt their saved passwords using the macOS login keychain key. So stealing the Keychain database is not just about Keychain passwords in isolation. It can also unlock the decryption of Chrome and Brave credential stores. One theft unlocks two.

The collected data is subsequently compressed into a ZIP archive at temp/collected_data.zip and uploaded via Telegram.

LLM-Generated Code Inside the Stealer

The deployment scripts use widespread emoji and include strict comment headers, strongly suggesting they were generated by artificial intelligence. SentinelOne assessed this as likely produced with an LLM coding tool. ChatGPT, Claude, Copilot, some AI assistant wrote the data collection logic.

This is a trend that matters. North Korean operators are using AI coding tools to accelerate malware development. The barrier to writing functional, well-structured malicious code just got lower. And the irony is sharp: AI-generated malware designed to fool AI analysis tools.

The Prompt Injection Payload: Attacking the Analyst's AI

This is the part that makes Gaslight genuinely novel. Everything else, the Rust implant, the Telegram C2, the LaunchAgent persistence, the Python stealer, all of it has appeared in prior DPRK macOS campaigns in some form. The prompt injection payload is new.

How AI-Assisted Malware Triage Works

Many security operations teams now feed malware samples, or strings extracted from them, into LLM-powered tools. AI-assisted plugins for Ghidra and Binary Ninja, automated sandbox report summarizers, LLM-based IOC extractors. These tools process the content of the binary and surface insights to the human analyst. They are genuinely useful and increasingly common.

Gaslight treats that pipeline as an attack surface.

What the Payload Contains

The binary contains a Markdown-fenced block of 38 fabricated system messages delimited by specific data tokens. This scaffold mimics the prompt structure of a typical LLM triage harness, blurring the boundary between trusted instructions and untrusted sample data.

The scaffold contains fake system messages about token expiry, out-of-memory kills, disk exhaustion, and repeated operation failures. It also plants bogus warnings about injection vulnerabilities and static-analysis flags.

The goal is to make the AI triage tool believe its own session is failing. When the AI encounters a message that looks like a system-level signal saying "token limit reached, aborting" or "out of memory, session terminated," it may do exactly what the message says. It aborts. It truncates its output. It tells the analyst there was a tool failure.

The analyst sees an error. They retry. They get the same result. They deprioritize the sample or escalate as a tooling issue. The malware was never properly analyzed.

Why 38 Messages

A single fake error might be dismissed by a well-designed AI triage system. 38 messages spanning multiple failure categories, resource exhaustion, security flags, operational failures, creates a convincing illusion of systemic breakdown. The volume and variety are the mechanism.

Phil Stokes of SentinelOne put it plainly: the malware attacks the agent's perception, rather than the sandbox it runs in. That framing is accurate and important. Prior sandbox evasion techniques targeted the execution environment. This targets the analyst's cognitive tool.

Prior Work in This Space

Check Point first documented this kind of analyst-targeting prompt injection publicly in 2025, describing a Windows proof-of-concept that used a single direct-instruction prompt injection to evade AI-based detection. Socket has since documented a Hades supply-chain payload whose stealer opens with a fake prompt-injection header to pollute AI-assisted analysis, while the leaked Shai-Hulud code carried an "Anthropic Magic String" intended to stop Claude Code from analyzing it. Each relied on a single injected block or header rather than the 38-message harness-spoofing cascade seen here.

Gaslight is not the first but it is the most sophisticated implementation of this technique to date.

What Defenders Building AI Triage Tools Should Do

The mitigation is architectural. AI triage pipelines need to treat the content of analyzed artifacts as adversarial input. The binary's strings should never appear in the system prompt or be treated as system-role messages. The model context needs to maintain a hard distinction between instructions from the analyst and content extracted from the sample.

Anyone building such tooling should treat the contents of the samples they triage as adversarial input, never as instructions, and be prepared to keep hostile content out of the model entirely.

If you are using AI-driven red teaming or automated analysis platforms, this is a concrete architecture question to ask your vendor right now.

MITRE ATT&CK Mapping

How to Hunt for Gaslight on macOS

If you are a threat hunter or incident responder, here is where to look.

File System Indicators

Start with LaunchAgent plist files. Run this in the terminal:

launchctl list | grep -v com.apple

Then manually inspect ~/Library/LaunchAgents/ for any plist using the label com.apple.system.services.activity. That label is not a real Apple service. Its presence is a strong indicator of compromise.

Look for a cpython-3.10.18 binary in unexpected locations. This is not a system Python. It should not exist in /tmp/, ~/Library/, or user home subdirectories on a standard Mac.

Check for ZIP archives named collected_data.zip or similar staging files in temp directories. These are post-collection artifacts that may persist briefly before exfiltration.

Network Indicators

Watch for outbound HTTPS connections to api.telegram.org originating from processes that are not Telegram Desktop or a recognized messaging application. The polling behavior produces a recognizable pattern: repeated getUpdates calls at a regular interval.

Unusual frequency of Telegram API calls from a non-browser process is a high-fidelity detection signal.

Behavioral Detection

A Python interpreter, especially a non-system cpython binary, simultaneously reading Keychain files, browser profile directories, and Terminal history files should trigger an alert. That access pattern does not occur in legitimate software.

ZIP archive creation in temp directories followed immediately by outbound Telegram API traffic is another strong behavioral indicator.

Your vulnerability management program should include macOS LaunchAgent auditing as a baseline check. Your attack surface management coverage needs to include macOS endpoints, especially developer workstations in crypto and fintech environments.

For teams running extended detection and response (XDR), creating a detection rule for cpython processes touching Keychain and browser directories simultaneously will help surface this behavior pattern if it reappears in future variants.

North Korea's macOS Malware Evolution: The Bigger Picture

Gaslight does not come out of nowhere. It is the latest step in a consistent evolution.

In April 2023, researchers detailed an APT campaign targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on infected devices. In May 2023, ESET researchers discovered a second RustBucket variant. In November 2023, Elastic reported on another DPRK campaign targeting blockchain engineers of a crypto exchange platform with KandyKorn malware.

North Korea has invested serious time and effort into compromising Apple's desktop operating system. Its operations in macOS environments include both espionage and financial gain.

The pattern is consistent: Rust for the persistent implant, Python for data collection, Telegram or similar consumer API for C2. What changes each time is the evasion layer. RustBucket brought LaunchAgent persistence. KandyKorn targeted blockchain engineers specifically. Gaslight adds AI triage evasion as a new capability on top of the existing playbook.

The use of LLM-generated code in the Python stealer is also worth watching. It suggests DPRK operators have integrated AI coding tools into their malware development workflow. This lowers the skill floor for writing capable malicious code and will likely appear across more samples going forward.

Protecting the specific environments DPRK actors target, meaning crypto developer workstations, DeFi company endpoints, and Web3 infrastructure, requires cyber threat intelligence that tracks this actor cluster specifically, not just generic threat feeds.

For organizations in these sectors, dark web monitoring is also relevant since stolen Keychain credentials and session tokens often surface on dark web markets within days of collection.

Why macOS Users in Crypto and DeFi Are the Primary Target

It is worth being direct about this. If you work in cryptocurrency, DeFi, blockchain development, Web3 infrastructure, or a related fintech company and you use a Mac, you are in the primary target population for this threat actor.

North Korean cyber actors have engaged in a series of campaigns against crypto-related industries involving extensive grooming of targets via social media.

The FBI began warning that North Korea was conducting highly tailored, difficult-to-detect social engineering campaigns against employees of decentralized finance, cryptocurrency, and similar businesses to deploy malware and steal company cryptocurrency.

The goal is financial. North Korea uses cryptocurrency theft to fund state programs, and macOS is simply where the most valuable targets work. The Keychain theft matters enormously in this context because crypto wallets, exchange API keys, and authentication certificates are frequently stored there.

If your organization operates in this space, your mobile security and endpoint coverage needs to be matched by proactive penetration testing of your macOS environment. Knowing what an attacker can reach if they land on a developer Mac is essential context for prioritizing defenses.

Web3 security auditing of your smart contracts and blockchain infrastructure matters, but do not forget the human-layer risk. A single compromised developer Mac with a stolen Keychain could expose more than any smart contract vulnerability.

What Security Teams Should Do Right Now

This section is practical. Here is what to prioritize.

If you manage macOS endpoints in your organization, audit LaunchAgent directories across your fleet. Look for any label using com.apple.system.services.activity and any other label mimicking Apple's naming convention but not appearing in Apple's documented service list.

If your team uses AI-assisted malware analysis tools, talk to your tool vendor about how they handle adversarial content in analyzed artifacts. Ask specifically whether sample content can appear in the system prompt or be treated as system-role instructions. If the answer is yes or unclear, that is a gap to address.

Review your network monitoring for Telegram API polling patterns from non-Telegram processes. This is a detection capability worth adding regardless of whether you see Gaslight specifically, because Telegram-based C2 is a pattern used across multiple threat actor families.

For teams doing digital forensic investigation work or incident response on macOS incidents, the combination of cpython in unusual paths plus Keychain access plus Telegram API traffic is a high-confidence indicator cluster worth building into your playbooks.

Organizations that want help understanding whether their current controls would catch a threat like Gaslight should consider an AI-driven red team exercise focused specifically on macOS endpoints and supply chain entry points. Knowing your detection gaps before an attacker exploits them is the whole point of proactive security.

Your virtual CISO or security leadership team should also factor the DPRK macOS threat pattern into their threat model, particularly if the organization operates in or adjacent to the crypto and DeFi space.

Frequently Asked Questions

What is Gaslight malware?

Gaslight is a Rust-based macOS backdoor and information stealer attributed with high confidence to North Korea-aligned threat actors. First documented by SentinelOne researcher Phil Stokes on June 23, 2026, its defining feature is an embedded prompt injection payload targeting AI-assisted malware analysis tools. It also steals macOS Keychain credentials, browser data, and system information, and uses Telegram as its command and control channel.

How does Gaslight avoid detection?

Through four main mechanisms. First, runtime-supplied configuration means no hardcoded C2 credentials exist for static analysis to find. Second, it self-redacts its Telegram bot token from any logs or crash output. Third, its LaunchAgent persistence uses a label that mimics a legitimate Apple system service. Fourth, and most unusually, it embeds 38 fabricated system-failure messages to cause AI triage tools to abort analysis of the binary.

What data does Gaslight steal from macOS?

Terminal command histories from bash and zsh, installed application listings, running process snapshots, full system hardware and software profile, the macOS Keychain database including saved passwords and certificates, and credential and cookie data from Chrome, Brave, Firefox, and Safari.

What is prompt injection in the context of malware analysis?

In this context, prompt injection refers to text embedded in the malware binary that, when processed by an AI-assisted analysis tool, manipulates the AI into abandoning its analysis by simulating fake system-level failures. The AI is tricked into believing its own session crashed or hit resource limits, rather than recognizing it is being deceived by adversarial content in the sample.

How does Gaslight communicate with attackers?

Through the Telegram Bot API using a continuous polling loop. The operator sends commands to the malware via Telegram. Results and stolen files are returned through the same channel using Telegram's file upload mechanism.

How do I detect Gaslight on a macOS system?

Look for a LaunchAgent plist labeled com.apple.system.services.activity, which is not a real Apple service. Check for unusual cpython interpreter binaries in non-standard paths like /tmp/ or ~/Library/. Monitor for outbound connections to api.telegram.org from processes that are not Telegram Desktop. Look for ZIP archives named collected_data.zip in temp directories.

Is Gaslight related to previous North Korean macOS malware?

Yes. It shares the Rust implant plus Python stealer architecture with prior DPRK macOS campaigns including RustBucket and KandyKorn, suggesting the same threat actor cluster. The distinguishing innovation is the AI prompt injection evasion layer, which has not appeared in prior DPRK macOS samples.

What is the unknown "focus" command in Gaslight?

A seventh command was detected in the binary but its functionality had not been confirmed at the time of SentinelOne's initial report. Researchers have suggested possibilities including screen capture, webcam activation, or targeted keylogging of a specific application, but none of these have been confirmed with forensic evidence yet.

Should macOS users in finance and crypto be worried?

Yes, specifically. North Korean threat actors have consistently targeted macOS users working in cryptocurrency, DeFi, blockchain development, and related fintech. The combination of high-value credentials stored in macOS Keychain and the generally less-mature endpoint security culture in these communities makes them high-priority targets.

Key Takeaways

Gaslight represents a meaningful evolution in DPRK macOS tradecraft. The Rust plus Python architecture is familiar. The Telegram C2 has precedent. What is genuinely new is the AI analyst targeting.

As AI-assisted triage becomes a standard part of the security operations workflow, malware authors will increasingly treat those tools as attack surfaces. Gaslight is the most sophisticated example of that trend to date, using 38 fabricated failure messages to create a convincing illusion of systemic tool breakdown.

For defenders, the lesson is architectural. AI analysis pipelines need to treat sample content as adversarial. Endpoint security on macOS needs to cover LaunchAgent directories and cpython anomalies. Network monitoring needs to watch for Telegram API polling from non-messaging processes.

For organizations in the crypto, DeFi, and Web3 space, this threat is not theoretical. North Korea is actively targeting your industry, your platforms, and your macOS developer workstations. The credentials in your Keychain are the target.

References

1. SentinelOne Labs: macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox
2. The Hacker News: New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis
3. Infosecurity Magazine: macOS Backdoor Uses Prompt Injection to Evade AI Triage
4. SentinelOne Labs: BlueNoroff Hidden Risk