Researchers at SentinelOne have discovered a previously unknown family of malware for macOS called Gaslight, which combines backdoor and infostealer functionality. Its key feature is an embedded prompt-injection block designed to confuse LLM models that are increasingly used for automated analysis of malicious files. Although there is currently no evidence that this technique is actually effective against existing AI solutions, its very appearance signals the emergence of a new class of attacks — aimed not at defensive infrastructure but at analysts’ cognitive tools.
Architecture and prompt injections
Gaslight is written in Rust. The binary includes a block of about 3.5 KB containing 38 fake “system” messages formatted using Markdown. According to the researchers, these strings imitate:
- notifications about expired tokens;
- warnings about low memory and disk space;
- messages about Redis failures and build errors;
- JSON parsing errors;
- false positives for SQL injection.
The malware authors are reportedly relying on an LLM involved in automated analysis interpreting these strings as system instructions or diagnostic data. As a result, the model may conclude that the analysis results are invalid, interrupt processing, shorten its response, or refuse to continue the investigation altogether. As the researchers themselves put it: “Gaslight attacks the agent’s perception, not the sandbox it runs in.”
A critically important caveat: SentinelOne explicitly notes that it has not found evidence that these prompt injections can successfully bypass real-world AI-based malware analysis solutions. This is more of an experimental technique that demonstrates the attacker’s line of thinking.
Control and backdoor functionality
For command-and-control, Gaslight uses the Telegram Bot API as its communication channel with operators. The malware continuously polls the control channel and exposes an interactive shell through which operators can:
- execute arbitrary commands on the system;
- terminate processes;
- steal files;
- shut down the malware itself.
The researchers also found indications of a focus command, whose purpose remained unknown at the time of publication.
To maintain persistence on the system, Gaslight creates a LaunchAgent with the identifier com.apple.system.services.activity — a name deliberately chosen to mimic legitimate Apple system services.
Data theft component
A separate 6.6 KB Python script encoded in Base64 is responsible for collecting and exfiltrating data. It is installed by a bash script of about 2 KB that downloads the CPython 3.10.18 interpreter from the astral-sh/python-build-standalone project. According to the researchers, the large number of comments and emojis in the installer code suggests that it was likely generated with the help of an LLM.
The stealer collects a wide range of data:
- terminal command history;
- the Keychain database;
- data from the Chrome, Brave, Firefox, and Safari browsers;
- a list of installed applications and running processes;
- hardware and system information.
The collected data is packed into the archive temp/collected_data.zip and sent via Telegram.
Impact assessment
Gaslight poses a threat primarily to macOS users, but its significance goes beyond this specific malware family. The prompt-injection component is an indicator that malware authors are starting to view LLMs as part of the defensive infrastructure and are deliberately trying to counter them. For now, this technique is in an experimental phase, but as analytical processes become more dependent on AI tools, similar approaches may grow more sophisticated.
From a practical perspective, the backdoor itself — with its interactive shell and fully featured stealer — represents a very real threat: compromising Keychain, four browsers’ data, and system information gives attackers a broad foothold for follow-on attacks.
Recommendations
- Check for a LaunchAgent with the identifier
com.apple.system.services.activityin the~/Library/LaunchAgents/and/Library/LaunchAgents/directories. - Check for the file
temp/collected_data.zipand for unusual downloads of CPython on the system. - Monitor outbound connections to the Telegram API (
api.telegram.org) from processes for which such activity is not typical. - Teams using LLMs for automated malware analysis should account for the risk of prompt injections within analyzed samples and avoid relying on AI analysis results as the sole source of conclusions.
- Consider implementing validation and filtering of input data before passing the contents of suspicious files to LLM models.
Gaslight is a practical demonstration that attackers have begun to view analysts’ AI tools as a separate attack surface. Even without confirmed effectiveness of its prompt injections against real systems, organizations integrating LLMs into threat analysis processes should already be building multi-layered validation of results and should not delegate final decisions to the model without human oversight. At the same time, it is worth checking macOS systems for the described indicators of compromise, since the backdoor and stealer functionality in Gaslight is fully operational regardless of how successful its anti-analysis tricks are.