Gaslight macOS Malware Uses Prompt Injection to Evade AI Security Analysis

Related

NetNut Proxy Network Disrupted, 2 Million Infected Devices Cut Off

What happened A joint operation involving Google, the FBI, Lumen...

JadePuffer Ransomware Used AI Agent to Automate Entire Attack

What happened Researchers from Sysdig identified what they believe is...

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

What happened A newly discovered cyberattack campaign is delivering a...

New macOS Malware Uses Fake Errors to Confuse AI Analysis Tools

What happened A newly discovered macOS malware family named Gaslight...

Share

What happened

Moonlock researchers reported a new Rust-based macOS malware called Gaslight that is tied to North Korean threat actors. The malware targets Mac users through familiar social-engineering routes, including fake recruiter outreach, game developer lures, software testing requests, and unexpected files that persuade victims to install infected payloads.

Once installed, Gaslight can steal browser data from Chrome, Brave, Firefox, and Safari, collect terminal command histories, list installed applications, and copy the encrypted Keychain file that stores Mac passwords. It also works as a backdoor, allowing attackers to send commands or deliver additional payloads to the infected machine.

What makes Gaslight notable is its use of prompt-injection-style evasion. The malware contains 38 fabricated system messages written in plain text that are designed to look like internal error messages used by AI security tools during analysis. The goal is to confuse AI-driven security agents into thinking something went wrong internally and stop analysis before flagging the file as malicious.

Apple updated XProtect in early June with a rule targeting the malware, and by June 30, 29 security vendors were detecting the file as malicious on VirusTotal. Gaslight also uses a base64-encoded Python stealer, a bash installer, Telegram-based command and control, AES-GCM encryption, a custom certificate, and self-redacted bot token behavior to complicate analysis and network inspection.

Who is affected

macOS users are directly affected if they receive and run malicious files tied to fake job offers, meeting software, developer testing tasks, or other social-engineering lures.

Developers, security professionals, cryptocurrency users, and business users may face higher risk because North Korean campaigns often target people with access to credentials, code, sensitive projects, or financial infrastructure.

Organizations using AI-assisted security analysis tools are also affected by the broader technique. Gaslight does not technically hack those tools, but it attempts to manipulate how AI-driven agents interpret text during malware review.

Why CISOs should care

Gaslight shows how attackers are adapting to AI-assisted security workflows. As SOCs and endpoint vendors use AI agents to triage files and automate analysis, malware authors are beginning to test whether embedded text can influence or interrupt those systems.

For CISOs, the prompt-injection angle is the main lesson. Even if the malware’s core theft capabilities are familiar, the attempt to evade AI analysis through fabricated system-like messages signals where attacker tradecraft is heading.

The macOS focus also matters. Many organizations still treat Macs as lower-risk endpoints, but Gaslight can steal browser data, terminal history, application lists, and Keychain material while also providing backdoor access.

The campaign reinforces the need to pair AI-driven detection with traditional controls. Automated triage is useful, but it should not become a single point of failure when attackers can embed deceptive instructions or fake internal messages inside malware.

3 practical actions

  1. Review macOS malware controls and XProtect coverage: Apple added XProtect detection for Gaslight in early June. CISOs should ensure Macs receive security updates, run real-time protection, and are monitored like other enterprise endpoints.
  2. Train users on North Korean social-engineering lures: Gaslight fits a broader pattern of fake recruiter, software tester, and developer-focused lures. Security awareness should specifically cover unexpected job offers, meeting tools, testing files, and collaboration requests.
  3. Validate AI-assisted security workflows: Organizations using AI-driven malware triage should test whether embedded prompt-injection text can interrupt analysis, suppress alerts, or alter summaries. AI tools should be paired with behavioral detection, sandboxing, and human review for suspicious files.

More cybersecurity news:

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.