Gaslight macOS Malware Uses Prompt Injection to Evade AI Security Analysis

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A fresh piece of Mac malware has surfaced, and it comes with a twist that security teams have not seen before.

Written in Rust and tied to North Korean hacking groups, this malware does not just steal data quietly. It actively works to confuse the AI systems built to catch it.

Apple responded quickly. In early June, the company updated XProtect, its built-in malware detection feature, with a rule specifically targeting this new threat.

By June 30, twenty nine security vendors were already flagging the file as malicious on VirusTotal, though attackers can still tweak the code to slip past detection.

Researchers at Moonlock have been tracking this campaign closely, noting how it fits into a broader pattern of North Korean operations against Mac users.

These attackers typically pose as recruiters, game developers, or software testers to lure victims into downloading infected files.

SentinelOne said in a report shared with Cyber Security News (CSN) that it dubbed this malware Gaslight, attributing it to North Korean threat actors based on coding patterns and infrastructure choices.

Once installed, Gaslight can pull browser data from Chrome, Brave, Firefox, and Safari, grab terminal command histories, list installed apps, and copy the encrypted keychain file that stores Mac passwords.

It also functions as a backdoor, opening a channel for attackers to send commands or drop additional payloads onto infected machines.

Gaslight macOS Malware Uses Prompt Injection

What makes Gaslight stand out is not what it steals but how it hides. The malware contains thirty eight fabricated system messages embedded as plain text, designed to mimic the format AI security tools use during scanning.

Gaslight uses plain text to attempt to trick AI-automated security agents (Source – Moonlock)

These messages include phrases like “token logic seems flaky,” “connection timeout,” and simply “Crash.”

The goal is to convince an AI agent that something went wrong internally, prompting it to abandon its analysis before flagging the file as dangerous.

The AI systems themselves are not hacked or compromised in any technical sense. Instead, the malware exploits how these tools interpret text, a technique that was mostly theoretical until now.

Tools like SentinelOne Singularity, Claude Code, and CrowdStrike Falcon are increasingly used to automate Mac threat detection, especially in business settings, which makes this evasion method particularly concerning.

Inside Gaslight’s Technical Design

Despite weighing just 2.24 MB, Gaslight packs a lot into a small package. It uses Serde, a legitimate Rust framework, to load configuration data that controls how its various modules behave.

Buried inside is a 6.6 KB Python script, encoded in base64, that handles the actual data theft. A separate bash installer, about 2 KB in size, fetches and runs this script after being downloaded from the attackers’ servers.

Gaslight’s Python script stealer in action (Source – Moonlock)

For command and control, Gaslight relies on a Telegram bot, encrypted with AES-GCM and configured with a custom certificate to dodge standard network inspection.

The bot’s access token is self-redacted, making it harder for researchers to study its traffic, and the setup still works even behind enterprise proxy servers.

Interestingly, Gaslight does not appear to target cryptocurrency wallets, a departure from typical North Korean malware campaigns. This absence stands out given how consistently these groups have chased digital assets in the past.

Phishing remains the most common way these infections start, so users should be cautious about unexpected job offers, meeting software, or developer test files.

Running updated antimalware software with real time scanning can catch threats like Gaslight before they execute.

Enterprises relying on AI driven security agents should also consider pairing them with traditional detection methods, since text based evasion tactics can undermine automated triage alone.

As AI adoption in cybersecurity grows, attackers will likely keep probing these systems for similar weaknesses.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.