DPRK-Linked macOS.Gaslight Implant Targets Analysts with Prompt Injection

A new Rust-based macOS implant named macOS.Gaslight has been linked to North Korean cyber activities. This malware features a prompt injection payload aimed at misleading AI-based malware analysts. It was first detected in early June 2026, following an Apple XProtect update that flagged a VirusTotal sample uploaded on May 22. The implant is characterized by its hardened Telegram-based command-and-control channel and is ad hoc signed. Researchers from SentinelLabs confirmed its association with DPRK-linked activities, particularly those related to BONZAI and AIRPIPE signatures. The binary remains undetected by static analysis engines, raising concerns about its stealth capabilities. The malware is designed to operate on macOS systems, specifically targeting Mac users. Current assessments indicate a high confidence in its state-sponsored origins.

Key Points: • macOS.Gaslight is a Rust-based implant linked to North Korean cyber operations. • The malware employs prompt injection techniques to deceive AI malware analysts. • It was first identified in early June 2026, with origins traced back to a VirusTotal upload on May 22.