al-ice.ai

SentinelOne — macOS.Gaslight: North Korean Implant Uses Prompt Injection to Blind AI Triage

Security by al-ice.ai Editorial

AI relevance: This is the first confirmed malware family designed to weaponize prompt injection against the AI-assisted security tools increasingly used in SOC triage pipelines — turning defender AI into an evasion mechanism.

What Happened

  • SentinelLabs disclosed macOS.Gaslight, a Rust-based macOS implant attributed with high confidence to North Korea-aligned threat actors.
  • The implant embeds a 3.5 KB prompt-injection payload consisting of 38 fabricated "system" messages designed to trick LLM-assisted malware triage agents into aborting or refusing analysis.
  • The fake messages simulate system-failure cascades — making the AI analyst "doubt its own session" rather than flagging the binary as suspicious.
  • Command-and-control runs over Telegram Bot API with AES-GCM encrypted payloads over certificate-pinned TLS, making network inspection difficult.
  • The implant self-redacts its Telegram bot token in runtime output, denying it to anyone capturing logs or crash artifacts.
  • Apple XProtect detects the sample under rule MACOS_BONZAI_COBUCH, but static engines on VirusTotal still miss it at time of writing.
  • The binary is ad hoc signed and uses SecTrustSetAnchorCertificatesOnly for certificate pinning, defeating standard proxy inspection.
  • It creates a power-management assertion to prevent system sleep, sustaining long-running C2 polling during user inactivity.

Why It Matters

Security operations are rapidly integrating LLM-assisted triage to handle alert volume. Gaslight represents a new attack surface: adversarial payloads that target the AI layer of the defense stack rather than the sandbox or signature engine. If your SOC uses AI to pre-classify binaries, this implant is designed to make that AI say "nothing to see here." The approach is likely to be adopted by other state-aligned groups.

What To Do

  • Audit whether your malware triage pipeline uses LLM-assisted analysis — if so, test it against embedded prompt-injection payloads.
  • Do not rely solely on AI pre-classification for binary trust decisions. Maintain hash-based and behavioral detection layers.
  • Update Apple XProtect signatures and ensure macOS endpoints are patched to the latest version.
  • Monitor for Telegram Bot API polling patterns in outbound endpoint traffic, especially from developer machines.
  • Check for the ad hoc signing identifier endpoint-macos-aarch64-* in endpoint telemetry.

Sources