North Korea-Linked macOS Malware Uses Prompt Injection to Evade AI Analysis
ID: 94a63182-4a2e-5749-910c-018b65622a4a
STIX ID: report--94a63182-4a2e-5749-910c-018b65622a4a
Feed Name: TechRepublic Security
SentinelOne identified macOS.Gaslight, a Rust-based macOS remote backdoor and infostealer that uniquely uses embedded fake messages to perform prompt-injection against LLM-based analysis tools; it collects browser data, Terminal history, and Keychain credentials via an embedded Python payload, persists using a LaunchAgent, and communicates with attackers through Telegram Bot API. Researchers linked the strain to North Korean actors and observed that initial samples were not detected on VirusTotal, indicating a likely early-stage, targeted operation.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
