logo

North Korea-Linked macOS Malware Uses Prompt Injection to Evade AI Analysis

ID: 94a63182-4a2e-5749-910c-018b65622a4a

STIX ID: report--94a63182-4a2e-5749-910c-018b65622a4a

Feed Name: TechRepublic Security

Threat Score
75/100

Date Published: 2026-06-29

Date Updated: 2026-07-02

Author: Joseph Ofonagoro

...
...

SentinelOne identified macOS.Gaslight, a Rust-based macOS remote backdoor and infostealer that uniquely uses embedded fake messages to perform prompt-injection against LLM-based analysis tools; it collects browser data, Terminal history, and Keychain credentials via an embedded Python payload, persists using a LaunchAgent, and communicates with attackers through Telegram Bot API. Researchers linked the strain to North Korean actors and observed that initial samples were not detected on VirusTotal, indicating a likely early-stage, targeted operation.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.