A newly discovered macOS backdoor linked to North Korean operators is using prompt injection to mislead AI‑driven malware analysts, according to research published by SentinelOne. The implant, dubbed macOS.Gaslight, attempts to trick automated analysis tools by feeding them false system messages.
The implant, tracked as macOS.Gaslight, is written in Rust and presents analysts with thirty‑eight fabricated system messages that mimic legitimate macOS alerts. These false alerts are designed to sow doubt about the file’s behaviour, while the malware silently harvests data from popular browsers and terminal histories. Details of the technique were highlighted in a report by Security Affairs.
Beyond deception, the Rust backdoor includes capabilities such as encrypting stolen information, redacting its own traces and using Telegram’s Bot API for covert command‑and‑control. It achieves persistence by creating launch agents that resemble Apple’s own naming conventions, making detection harder for standard tools. This behaviour is part of a broader toolset that targets multiple platforms, as noted in coverage by Infosecurity Magazine.
First observed on 24 June 2026 and last seen on 26 June 2026, the malware has not been associated with any specific CVE identifiers. Although no individual threat actor has been named, the tactics, techniques and procedures point to North Korean cyber units known for experimenting with AI evasion. The campaign reflects a growing trend where adversaries target the analysis environment rather than just the victim system.
Defenders should treat every sample as potentially adversarial, verifying the legitimacy of any system messages that appear during analysis. Combining AI‑based scoring with manual review and static/dynamic behavioural checks can reduce the chance of being misled. Monitoring outbound connections to Telegram domains and blocking unknown Rust binaries helps catch the C2 channel.
Additionally, organisations should enforce application control policies that prevent execution of unsigned or unverified code, keep macOS installations up to date with the latest security patches and share indicators of compromise with trusted information‑sharing groups. Training analysts to recognise fabricated alerts and maintaining isolated sandbox environments further limits the impact of such deceptive implants.