Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware Activity
Summary
Hide ▲
Show ▼
A previously undocumented macOS implant named Gaslight combines Telegram bot API C2, persistent shell control, and file exfiltration with a built-in prompt-injection payload. The sample is designed to mislead AI-assisted triage by injecting fabricated system-failure messages that can make analysis abort or stop. It also establishes persistence through a LaunchAgent and steals Keychain and browser data from Chrome, Brave, Firefox, and Safari. The combination of anti-analysis and credential/data theft raises the risk of stealthy compromise on macOS hosts.
Related Happenings
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
How related:
"On top of that, the malware attempts to evade an AI-based detection by incorporating a Markdown-fenced block containing 38 fabricated "system" messages designed to trick a security agent into aborting, truncating, or refusing analysis."
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisHow related: "On top of that, the malware attempts to evade an AI-based detection by incorporating a Markdown-fenced block containing 38 fabricated "system" messages designed to trick a security agent into aborting, truncating, or refusing analysis."
About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
H score30
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware ActivityAbout this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Storm infostealer server-side decryption activity
Malware Activity
H score18
First: 02.04.2026 17:15
Last: 02.04.2026 17:15
Sources 1
About this happening:
The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...
Storm infostealer server-side decryption activity
Malware ActivityAbout this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...
Infinity Stealer macOS infostealer activity
Malware Activity
H score29
First: 28.03.2026 16:35
Last: 28.03.2026 16:35
Sources 1
About this happening:
**Infinity Stealer** is a **macOS infostealer** being delivered through a **ClickFix** lure and is able to steal high-value credentials and secrets. The payload is compiled with *...
Infinity Stealer macOS infostealer activity
Malware ActivityAbout this happening: **Infinity Stealer** is a **macOS infostealer** being delivered through a **ClickFix** lure and is able to steal high-value credentials and secrets. The payload is compiled with *...
Timeline
-
25.06.2026 12:23 2 articles · 4h ago
Gaslight macOS malware embeds prompt injection to disrupt AI-assisted analysis
Initial DisclosureA previously undocumented Rust-based macOS implant and information stealer codenamed Gaslight combines a Telegram bot API command-and-control loop, interactive shell control, LaunchAgent persistence using the label "com.apple.system.services.activity", and a Base64-encoded Python stealer that harvests Terminal histories, installed applications, running processes, hardware and software profiles, macOS Keychain data, and browser data from Chrome, Brave, Firefox, and Safari. The sample also embeds 38 fabricated system messages and other bogus failures intended to mislead LLM-assisted triage and prompt a security agent to abort, truncate, or refuse analysis, while the operator configuration is supplied at runtime and the collected data is compressed into temp/collected_data.zip and uploaded via Telegram; the tooling is assessed with high confidence as the work of North Korea-aligned threat actors.
Show sources
- New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis — thehackernews.com — 25.06.2026 12:23
- New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis — thehackernews.com — 25.06.2026 12:23