Cyber Security

The new Gaslight macOS Malware uses rapid injection to disrupt AI-assisted analysis

IRavie LakshmananJune 25, 2026AI Security / Malware

A previously undocumented Rust-based macOS installation and hacker was found to embed a quick payload injection designed to fool malware analyst’s artificial intelligence (AI) tools and trick them into aborting or rejecting artifact analysis.

The malware is codenamed The Gaslight because of this deceptive behavior. It has been assessed with high confidence that this tool is the work of terrorist actors aligned with North Korea.

“Its most notable feature is an embedded series of fictitious system failure messages, designed to make the triage agent assisting the LLM question its timing,” SentinelOne researcher Phil Stokes said in a technical report. “It attacks the agent’s perspective, there’s a sandbox it goes into.”

Central to the malware’s design is the Telegram bot API’s command-control (C2) channel that enters the polling loop, allowing the operator to issue commands through an interactive shell and return operational results. In the event that two instances of the same bot token poll at the same time, a “Conflict” response is issued, causing the second copy to expire.

The shell supports six main commands, providing a persistent environment over the infected host –

  • help, to show command help
  • id, to identify the stamp to the operator
  • shell, to execute a shell command with execvp
  • kill, to terminate the target process by PID
  • upload, to extract the file with Telegram’s “attach://” method.
  • to stop, stop the transplant

SentinelOne said it has identified signs that suggest the existence of a seventh command called “focus,” although its functionality remains undetermined at this time. To achieve persistence, Gaslight uses a LaunchAgent that uses the “com.apple.system.services.activity” label in its .plist file.

Also embedded within the malware is a 6.6 KB Base64-encoded Python script that serves as a collection tool responsible for harvesting Terminal command history, listings of installed applications, snapshots of running processes, system hardware and software profiles, the macOS Keychain database, and data from the Chrome, Brave, Firefox, and Safari web browsers. The collected data is later compressed into a ZIP archive (“temp/collected_data.zip”) and uploaded via Telegram.

The Python compiler, on the other hand, is implemented using a 2 KB Base64 encoded bash installer that dumps the cpython-3.10.18 interpreter from the “astral-sh/python-build-standalone” project. The presence of emojis and broad comment titles indicates that they may have been generated using a large language model (LLM).

What’s notable about Gaslight is that the information related to the bot token, chat ID (tg_room_id), and all user settings are not hard-coded in the sample, but instead are provided at runtime. “The implant generates its own Telegram bot token at runtime, denying it to anyone capturing logs or crashing artifacts,” Stokes said.

In addition, the malware attempts to evade AI-based detection by inserting a Markdown block containing 38 fictitious “system” messages designed to trick a security agent into aborting, minimizing, or rejecting analysis.

“The scaffold contains false system messages about token expiration, execution out of memory, disk exhaustion, and repeated performance failures. We also plant fake warnings about injection vulnerabilities and static analysis flags,” SentinelOne said, calling it “an attempt to arm LLM-assisted reverse engine pipelines.”

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button