macOS.Gaslight — DPRK-aligned Rust backdoor with anti-analyst prompt injection

SentinelLABS analysed macOS.Gaslight, a single-binary Rust implant it ties with high confidence to DPRK-aligned activity (Apple's XProtect detects it as MACOS_BONZAI_COBUCH, with a sibling sample caught by the AIRPIPE rule SentinelLABS also attributes to North Korea) (SentinelLABS, 2026-06-23). Its novel evasion is aimed at the analyst's tooling rather than a sandbox: the binary carries a 3.5 KB Markdown-fenced blob of 38 fabricated "system" messages whose {{DATA}} tokens mimic an LLM triage harness's own prompt scaffold, designed to push an LLM agent into aborting, truncating, or refusing its analysis (Infosecurity Magazine, 2026-06-24). Beyond that, it is a full stealer — staging a CPython interpreter at runtime to harvest Chrome/Brave/Firefox/Safari credentials, terminal history, system_profiler output, and a wholesale copy of login.keychain-db. C2 runs over the Telegram Bot-API getUpdates polling loop with AES-GCM payloads over certificate-pinned TLS; persistence is a LaunchAgent labelled com.apple.system.services.activity (T1543.001).

Why it matters to us: as LLM-assisted triage moves into SOC and MDR workflows, embedding adversarial prompt payloads in samples to corrupt that pipeline is a technique class to expect generalising — treat "benign" LLM verdicts on submitted macOS binaries as provisional pending human review, and flag any binary carrying large role/content message arrays for secondary analysis. Detection concepts: LaunchAgent plists masquerading under com.apple.system.services.* with non-Apple signers; processes spawning Python from non-standard parents; outbound TLS to api.telegram.org from non-user-initiated processes on managed Macs.