New macOS Malware 'Gaslight' Uses Fake Errors to Poison AI Analysis Tools
A new macOS malware variant named Gaslight embeds prompt injection strings and fake debugging data to confuse LLM-based analysis tools into misclassifying the sample as benign.
A newly discovered macOS malware variant dubbed 'Gaslight' is designed to confuse AI-assisted malware analysis tools by hiding prompt injection strings and fake debugging data within the executable. Discovered by SentinelOne researchers, the malware is attributed with high confidence to a North Korean-linked threat actor. The technique represents a novel evolution in anti-analysis methods, targeting the AI systems increasingly used by security teams to automate threat detection.
The malware itself is a Rust binary with backdoor and information-stealing functionality commonly seen in similar malware. What makes it stand out is a 3.5 KB payload containing 38 fake 'system' messages embedded directly within the binary. These messages pretend to be developer logs, crash reports, debugging output, and program alerts, using Markdown formatting and template-style placeholders to appear like legitimate analysis data.
Examples of the embedded 'error' strings include fabricated memory dumps, token-expiration warnings, Redis connection failures, build-pipeline errors, SQL injection alerts, and other messages unrelated to the malware's actual behavior. According to SentinelOne, the goal of these fake errors is not to evade execution inside a sandbox, but to confuse AI systems that read the strings during automated analysis. 'Its most notable feature is an embedded cascade of fabricated system-failure messages, designed to make an LLM-assisted triage agent doubt its own session,' explains SentinelOne. 'It attacks the agent's perception, rather than the sandbox it runs in. Accordingly, we dub this family macOS.Gaslight.'
SentinelOne says these strings are prompt injection content designed to make an LLM-assisted analysis pipeline question the validity of its own session or refuse to continue analyzing the sample. 'The scaffold contains fake system messages about token expiry, out-of-memory kills, disk exhaustion, and repeated operation failures,' continue the researchers. 'It also plants bogus warnings about injection vulnerabilities and static-analysis flags. The aim is to push an LLM agent into aborting, truncating, or refusing analysis.'
While SentinelOne did not demonstrate the technique could successfully bypass AI malware analysis platforms, the findings suggest threat actors are experimenting with anti-analysis methods designed specifically to bypass AI-assisted security platforms. The technique mirrors a broader trend of adversaries crafting samples to poison automated threat intelligence pipelines, as AI-driven malware analysis becomes more common.
The discovery of Gaslight highlights the growing arms race between security AI and adversarial machine learning. As LLMs are increasingly used for triage, reverse engineering, and threat hunting, attackers are developing countermeasures that exploit the very weaknesses of these models—such as their susceptibility to prompt injection and their inability to distinguish genuine errors from fabricated ones. Security teams relying on AI-assisted analysis must now consider that their tools can be manipulated by carefully crafted malware, potentially leading to missed detections and delayed responses.