Security researchers have uncovered a North Korean macOS infostealer that does something new: instead of only hiding from human analysts, it tries to gaslight the AI tools that help reverse-engineer malware. The implant carries a hidden block of fake error messages meant to convince an LLM-assisted triage agent that its own session is broken, so the agent aborts, truncates, or refuses the analysis. According to the original research from SentinelLABS, this appears to be the first malware to weaponize a cascade of fabricated failure messages to derail the analysis itself.
What happened
SentinelLABS detailed a previously undocumented Rust-based macOS implant and infostealer it tracks as macOS.Gaslight, linking it with high confidence to North Korean threat actors. Under the hood it is a fairly conventional stealer with an unusual twist bolted on top. Most of its machinery is built for credential theft and remote control of an infected Mac, but its standout feature is a roughly 3.5 KB prompt-injection payload aimed squarely at the AI reviewers that increasingly sit in the malware-analysis pipeline.
How the AI attack works
Modern reverse engineers often hand a suspicious binary to an LLM-backed triage agent for a first pass. macOS.Gaslight abuses that workflow. Embedded in the sample is a Markdown-fenced block of 38 fabricated "system" messages, wrapped in the same {{DATA}} tokens that mimic an LLM triage harness's own prompt scaffold. By imitating the harness's formatting, the payload blurs the line between untrusted sample data and trusted instructions, so a model that naively reads the binary into its context can mistake the attacker's text for its own runtime.
The fake messages are tuned to make the agent give up. They impersonate token-expiry notices, out-of-memory kills, disk-exhaustion warnings, and bogus static-analysis flags. The goal is to make the AI reviewer doubt its session is healthy and quietly abort, cut its analysis short, or refuse the task altogether, letting the real malicious code slip past unreviewed. SentinelLABS notes that earlier analyst-targeting injections leaned on a single injected block or header. Gaslight escalates that into a full cascade designed to dismantle the analysis from the inside.
The conventional malware underneath
Strip away the injection and macOS.Gaslight runs on established macOS tradecraft. It keeps command and control over a Telegram Bot API polling loop, and encrypts its payloads with AES-GCM over certificate-pinned TLS to frustrate network inspection. Operators get an interactive shell that can run commands, kill processes, and exfiltrate files. The implant also self-redacts its Telegram bot token at runtime, so the credential never lands in logs or crash artifacts, denying defenders an easy detection lead.
What you should do
The defensive lesson is direct: when AI assists reverse engineering, treat everything inside a sample as hostile input, never as instructions, and keep raw sample contents out of the model entirely. Strip or sandbox embedded text before any model sees it, and do not let a binary's own bytes steer the tool examining it. The technique sits alongside a broader wave of prompt-injection abuse, from malicious GenAI browser extensions caught stealing user prompts to the steady stream of fake macOS installers pushing infostealers past Gatekeeper. The common thread is that AI tooling is now part of the attack surface, not just the defense.
SentinelLABS did not publish file hashes for this sample, so there are no static indicators to share yet. Defenders should instead watch for Telegram Bot API polling from endpoints and unexpected certificate-pinned TLS sessions, and audit any AI triage workflow that ingests untrusted binaries verbatim.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.