macOS.Gaslight: Rust-Based DPRK Implant Uses Prompt Injection to Sabotage AI Triage Tools
SentinelLABS has uncovered macOS.Gaslight, a Rust-based macOS implant linked to North Korean threat actors that uses a 3.5 KB prompt-injection payload to feed fabricated system messages to LLM-assisted triage tools, causing them to abort analysis.
SentinelLABS has detailed a previously undocumented Rust-based macOS implant and infostealer, dubbed macOS.Gaslight, which it attributes with high confidence to North Korean threat actors. While the implant carries standard credential-theft machinery, its standout feature is a 3.5 KB prompt-injection payload designed to derail the LLM-assisted triage tools increasingly used in reverse-engineering workflows.
The payload consists of a Markdown-fenced block of 38 fabricated "system" messages delimited with the same {{DATA}} tokens that mimic an LLM triage harness's own prompt scaffold, blurring the line between sample data and trusted instructions. These messages feed the agent with fake token-expiry notices, out-of-memory kills, disk-exhaustion warnings, and bogus static-analysis flags. The aim is to make the AI reviewer doubt its own session and abort, truncate, or refuse its work.
Underneath the injection, macOS.Gaslight relies on established macOS tradecraft. It maintains command and control through a Telegram Bot API polling loop, encrypts payloads with AES-GCM over certificate-pinned TLS to frustrate network inspection, and gives operators an interactive shell that can run commands, kill processes, and exfiltrate files. The implant also self-redacts its Telegram bot token at runtime, so the credential never surfaces in logs or crash artifacts, denying defenders an easy detection lead.
SentinelLABS researchers note that earlier analyst-targeting LLM injections relied on a single injected block or header. Gaslight appears to be the first to use a cascade of fabricated failure messages to derail the analysis itself. As AI-assisted analysis becomes routine, the researchers warn that defenders should treat everything inside a sample as hostile input, never as instructions, and keep it out of the model entirely.
The discovery comes amid a broader trend of threat actors adapting to AI-driven defenses. The use of prompt injection to target analysis tools represents a new frontier in adversarial machine learning, where attackers aim to blind defenders' automated systems rather than simply evade signature-based detection.
macOS.Gaslight underscores the growing sophistication of North Korean cyber operations, which have increasingly targeted macOS users with custom implants. Organizations using LLM-assisted reverse engineering should review their pipelines to ensure sample data is sanitized before reaching AI models.