A previously undocumented Rust-based macOS implant and information stealer was found to embed a prompt injection payload designed to trick malware analysts’ artificial intelligence (AI) tools into aborting or refusing to analyze the artifact.
This malware is codenamed gas lamp Because of this deceitful act. This tool has been assessed with high confidence to be the work of a North Korean-aligned threat actor.
“Its most notable feature is that it embeds a cascade of fabricated system failure messages designed to make LLM-assisted triage agents suspicious of their sessions,” SentinelOne researcher Phil Stokes said in a technical report. “It attacks the agent’s awareness, not the sandbox in which it runs.”
The core of the malware’s architecture is a Telegram bot API-based command and control (C2) channel that enters a polling loop. This allows operators to issue instructions and return execution results through an interactive shell. If two instances of the same bot token poll at the same time, a “conflict” response will be issued and the second copy will be terminated.
The shell supports six main commands and gives it a persistent foothold on an infected host.
- help, display help for a command
- id, for the operator to identify the implant
- Execute shell commands via shell, execvp.
- kill terminates the target process by PID.
- Upload, extract files via Telegram’s “attach://” mechanism
- stop, stop the implant from running
SentinelOne said it has identified indications that suggest the existence of a seventh command, named “focus,” but that its functionality is unconfirmed at this stage. To achieve persistence, Gaslight utilizes a LaunchAgent that uses the label “com.apple.system.services.activity” in the .plist file.
Also embedded within the malware is a 6.6 KB Base64-encoded Python script that acts as an information collection suite that collects data from terminal command history, list of installed applications, snapshots of running processes, system hardware and software profiles, macOS keychain database, and Chrome, Brave, Firefox, and Safari web browsers. The collected data is then compressed into a ZIP archive (“temp/collected_data.zip”) and uploaded via Telegram.
The Python stealer is deployed by a separate 2KB Base64-encoded bash installer that drops the cpython-3.10.18 interpreter from the “astral-sh/python-build-standalone” project. The presence of emojis and extensive comment headers indicate that it may have been generated using a large-scale language model (LLM).
What’s notable about Gaslight is that details related to the bot token, chat ID (tg_room_id), and the rest of the operator configuration are not hardcoded into the sample, but are provided at runtime. “The implant self-edits the Telegram bot token in its own runtime output and denies it to anyone who captures logs or crash artifacts,” Stokes added.
Additionally, the malware attempts to evade AI-based detection by incorporating a markdown-enclosed block containing 38 fabricated “system” messages designed to trick security agents into aborting, truncating, or rejecting the analysis.
“This scaffold contains bogus system messages about token expiration, out-of-memory kills, disk exhaustion, and repeated operation failures. It also plants bogus warnings about injection vulnerabilities and static analysis flags,” SentinelOne said, calling it “an attempt to weaponize the LLM-assisted triage pipeline, which is increasingly stuck in reverse engineering loops.”
