Rust-based macOS implant uses fake system prompts to foil AI analysis
Gaslight hides a 3.5 KB prompt-injection payload inside a Rust macOS implant, using 38 fake system messages to make AI triage tools back off.

Apple’s XProtect update pushed researchers to a May 22 VirusTotal upload of Gaslight, a Rust-written macOS implant that packs 38 fake system messages into a 3.5 KB prompt-injection payload to trip up AI-assisted triage. At the time SentinelLABS dug into it, static engines on VirusTotal were still missing the sample, while Apple’s XProtect tagged it under MACOS_BONZAI_COBUCH.
That setup matters because Gaslight is not just another macOS backdoor with a different language choice. The Rust code is the least interesting part unless you are reversing it or tuning detections. The real trick is the operator-facing bait: the implant tries to make LLM-assisted analysis pipelines abort, refuse, or mis-handle the sample by presenting deceptive “system” prompts as if they were part of the model’s own instructions.

SentinelLABS tied Gaslight to North Korea-aligned activity and placed it in the BONZAI family, alongside a sibling AIRPIPE sample that Apple also catches with XProtect. The implant uses Telegram Bot API polling for command and control, and it leans on Telegram Conflict responses as an implicit single-instance lock when two copies start polling at once. In the interactive shell, researchers confirmed six commands: help, id, execvp, kill, upload, and stop. SentinelOne also saw signs of a possible seventh command named focus, though its purpose was unclear.
Persistence is blunt and practical. Gaslight drops a LaunchAgent named com.apple.system.services.activity, then uses it to survive reboots and user logins. It also carries a 6.6 KB Base64-encoded Python stealer that grabs Terminal history, installed apps, running processes, hardware and software inventory, macOS Keychain data, and browser data from Chrome, Brave, Firefox, and Safari. The loot is compressed into temp/collected_data.zip and sent out over Telegram.
The delivery chain shows the same kind of layered tradecraft. A separate 2 KB Base64-encoded bash installer drops the Python stealer and installs cpython-3.10.18 from astral-sh/python-build-standalone. SentinelOne said the Python code’s emojis and dense comment headers looked like they may have been generated with a large language model, which fits the same theme as the fake system prompts: attackers are now shaping malware to manipulate the tools analysts use, not just the sandboxes and endpoints themselves.
Gaslight slots into a longer run of DPRK-linked macOS activity that SentinelOne has tracked before, including RustBucket, KandyKorn, BONZAI, and AIRPIPE. The takeaway for defenders is plain: if your workflow feeds suspicious samples into an LLM, Gaslight is built to make that workflow lie to itself before a human ever sees the binary.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


