macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox

A sophisticated Rust-based macOS implant named macOS.Gaslight has been discovered, featuring a novel 3.5 KB prompt-injection payload containing 38 fabricated system messages designed to disrupt LLM-assisted malware analysis. The backdoor communicates via Telegram Bot API with AES-GCM encrypted payloads over certificate-pinned TLS and includes self-redaction capabilities to hide its bot token from logs. It provides operators with an interactive shell, system information collection, and credential stealing capabilities through a bundled Python script that targets browser data, keychains, and command histories. The implant uses runtime-fetched CPython interpreters and establishes persistence through a LaunchAgent masquerading as an Apple system service. This threat is assessed with high confidence to be aligned with DPRK activity and represents a significant evolution in adversarial techniques targeting security analysts rather than sandbox environments.

Pulse ID: 6a3b512d529a1b06d095af2b
Pulse Link: https://otx.alienvault.com/pulse/6a3b512d529a1b06d095af2b
Pulse Author: AlienVault
Created: 2026-06-24 03:38:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #CyberSecurity #DPRK #ELF #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Python #RAT #Rust #TLS #Telegram #bot #AlienVault