Analyzing macOS.Gaslight: A Sophisticated Rust-Based Implant Targeting Analyst Workflows

Threat researchers have identified a sophisticated new macOS implant, tracked as macOS.Gaslight. Built using the Rust programming language, this malware functions as both a persistent backdoor and an information stealer. What sets Gaslight apart from standard espionage tools is its highly specialized feature set: a hardened Telegram-based Command-and-Control (C2) architecture and a novel “adversarial” prompt injection payload designed to deceive security analysts using LLM-assisted triage tools.

Based on technical telemetry, we assess with high confidence that macOS.Gaslight is part of a broader cluster of macOS-targeted activity linked to DPRK-sponsored threat actors, showing significant overlaps with known BONZAI and AIRPIPE signatures.

The binary is ad hoc signed and carries the unique identifier: endpoint-macos-aarch64-5555494492fc075f441637fb9d894913dde3a2ea. While initial static analysis engines failed to flag the sample, Apple’s XProtect eventually flagged a Mach-O sample uploaded to VirusTotal in late May 2024.

Hardened C2 and Operational Hygiene

The implant utilizes the Telegram Bot API for its C2 channel, specifically employing the getUpdates method to poll for operator instructions via an interactive shell. To ensure stealth and facilitate exfiltration, the malware uses Telegram’s multipart attach:// functionality.

The developers have implemented several layers of operational security (OPSEC) to protect their infrastructure:

• Token Self-Redaction: To prevent the recovery of the Telegram bot token from logs or crash artifacts, the binary monitors its own runtime output. If a URL path segment matches the literal “file,” the implant replaces the sensitive token with a hardcoded placeholder.
• Transport Encryption: The C2 channel is hardened using AES-GCM encryption (via a Rust crate). Each message utilizes a unique nonce generated through CCRandomGenerateBytes, with the AES key injected at runtime via configuration.
• Certificate Pinning: To defeat Man-in-the-Middle (MitM) inspection via proxy CAs, the implant uses SecTrustSetAnchorCertificatesOnly. This restricts TLS validation exclusively to the operator’s specific certificate, effectively blinding network security appliances.

Persistence and System Masquerading

For persistence, macOS.Gaslight employs a classic LaunchAgent masquerade. It writes a property list (plist) file labeled com.apple.system.services.activity. To maintain the illusion of legitimacy, the implant uses __NSGetExecutablePath at runtime to dynamically populate the ProgramArguments, ensuring the service points to the correct malicious path. This use of the com.apple.* namespace is a hallmark of DPRK-linked malware families.

Furthermore, the implant ensures it remains active by calling IOPMAssertionCreateWithName, which prevents the macOS system from entering sleep mode and interrupts long-running collection or polling tasks.

Modular Data Exfiltration Strategy

The implant follows a modular “staged” execution model to keep the primary Rust binary small while maintaining high capability.

The Rust core contains a 6.6 KB base64-encoded Python module. When triggered, it deploys a ~2 KB bash installer that fetches a standalone Python interpreter (from the astral-sh/python-build-standalone project). This allows the malware to execute a rich Python-based stealer without needing to bundle a massive runtime into the initial implant.

The Python stealer targets:

• Browser data from Chrome, Brave, Firefox, and Safari.
• Terminal command histories and installed application lists.
• System snapshots via system_profiler and running process lists.
• A raw copy of the login.keychain-db.

Targeting the Analyst: Adversarial Prompt Injection

The most significant innovation in macOS.Gaslight is its 3.5 KB embedded prompt-injection payload. As detailed by SentinelLABS, the payload consists of 38 fabricated “system” messages wrapped in Markdown fences and {{DATA}} markers.

Unlike traditional prompt injections that target a chatbot, this payload is designed to target security analysts. By mimicking the prompt scaffolding used by LLM-assisted triage and automated analysis pipelines, the implant attempts to inject fake errors, false token-expiry warnings, and fabricated static-analysis flags. The goal is to manipulate the AI agent into aborting the analysis, refusing to process the file, or misprioritizing the threat, thereby allowing the malware to bypass automated SOC workflows.

Indicators of Compromise (IoCs)