MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
Summary
Hide ▲
Show ▼
Researchers identified macOS.Gaslight, a North Korea-linked Rust infostealer-backdoor that can steal Chrome, Brave, Firefox and Safari data, terminal histories, installed-app lists and the macOS login keychain. The sample also offers an interactive shell and routes command traffic through Telegram's Bot API, using encryption and certificate pinning to resist inspection. It embeds 38 fabricated system messages to derail AI-assisted triage before defenders can analyze the implant normally. The blend of credential theft, covert command handling and analysis sabotage increases the risk of unauthorized access and prolonged defender blindness.
Related Happenings
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
How related:
SentinelLabs, the research arm of SentinelOne, said the Rust implant embedded 38 fabricated system messages designed to derail AI-assisted triage.
About this happening:
**macOS.Gaslight** now uses **prompt injection** to disrupt **AI-assisted malware triage**, increasing the chance that defender tooling aborts or misreads analysis. The **Rust imp...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisHow related: SentinelLabs, the research arm of SentinelOne, said the Rust implant embedded 38 fabricated system messages designed to derail AI-assisted triage.
About this happening: **macOS.Gaslight** now uses **prompt injection** to disrupt **AI-assisted malware triage**, increasing the chance that defender tooling aborts or misreads analysis. The **Rust imp...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Atomic Stealer macOS Script Editor ClickFix campaign
Campaign
H score42
First: 08.04.2026 21:55
Last: 08.04.2026 21:55
Sources 1
About this happening:
A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
Atomic Stealer macOS Script Editor ClickFix campaign
CampaignAbout this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
Storm infostealer server-side decryption activity
Malware Activity
H score18
First: 02.04.2026 17:15
Last: 02.04.2026 17:15
Sources 1
About this happening:
The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...
Storm infostealer server-side decryption activity
Malware ActivityAbout this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...
Infinity Stealer macOS infostealer activity
Malware Activity
H score29
First: 28.03.2026 16:35
Last: 28.03.2026 16:35
Sources 1
About this happening:
**Infinity Stealer** is a **macOS infostealer** being delivered through a **ClickFix** lure and is able to steal high-value credentials and secrets. The payload is compiled with *...
Infinity Stealer macOS infostealer activity
Malware ActivityAbout this happening: **Infinity Stealer** is a **macOS infostealer** being delivered through a **ClickFix** lure and is able to steal high-value credentials and secrets. The payload is compiled with *...
Timeline
-
24.06.2026 17:00 2 articles · 4h ago
SentinelLabs identifies macOS.Gaslight as a North Korea-linked backdoor with prompt injection
Initial DisclosureSentinelLabs disclosed macOS.Gaslight, a Rust macOS backdoor tied with high confidence to North Korean activity, and said the sample embeds 38 fabricated system messages to derail AI-assisted triage. The implant also functions as an infostealer and backdoor, offering an interactive shell, collecting browser data from Chrome, Brave, Firefox and Safari, terminal histories, installed-app lists and the macOS login keychain, and routing command traffic through Telegram's Bot API with encryption and certificate pinning. SentinelLabs also noted runtime Python staging, Telegram bot token scrubbing and an Apple XProtect hit that helped support attribution.
Show sources
- macOS Backdoor Uses Prompt Injection to Evade AI Triage — www.infosecurity-magazine.com — 24.06.2026 17:00
- macOS Backdoor Uses Prompt Injection to Evade AI Triage — www.infosecurity-magazine.com — 24.06.2026 17:00