logo

macOS.Gaslight: North Korea-Linked Malware That Tries to Gaslight the Analyst

ID: 5f44005d-7b00-56af-bc11-5e5920ca7e0e

STIX ID: report--5f44005d-7b00-56af-bc11-5e5920ca7e0e

Feed Name: Security Affairs

Threat Score
85/100

Date Published: 2026-06-26

Date Updated: 2026-06-26

Author: Pierluigi Paganini

...
...

**macOS.Gaslight** is a Rust-based macOS implant attributed to DPRK-aligned operators that embeds a multi-message prompt-injection payload to confuse LLM-assisted analysts; it communicates via Telegram Bot API with AES-GCM-encrypted messages and TLS certificate pinning, persists using a LaunchAgent, stages a self-contained Python environment to run a gated stealer that exfiltrates browsers, keychains and system data, and employs novel self-redaction to hide runtime bot credentials.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.