Gaslight: The Rust-Powered macOS Implant Designed to Mislead AI Tools

A newly identified macOS malware strain dubbed Gaslight has been engineered to mislead AI-powered malware analysis tools by embedding prompt-injection strings and fabricated debugging information directly in its executable. The sample surfaced after an Apple XProtect update flagged a Mach-O binary uploaded to VirusTotal in May 2026, with detection based solely on its file hash rather than embedded code signatures. The Gaslight malware is ad hoc signed under a misleading identifier and, at the time of discovery, evaded traditional static detection engines. Apple currently detects it under the MACOS_BONZAI_COBUCH signature family, with related samples also linked to AIRPIPE, both of which have previously been associated with North Korean threat activity.

The Gaslight implant itself is written in Rust and employs several evasion techniques to minimize its static footprint. It dynamically resolves API calls using dlsym instead of exposing them through the symbol table and determines its own executable path at runtime rather than relying on hardcoded locations. For persistence, it deploys a LaunchAgent disguised under the label com.apple.system.services.activity, blending into Apple's legitimate namespace. It also creates power-management assertions to prevent the system from sleeping, ensuring uninterrupted command-and-control communications and long-running operations even during periods of user inactivity.

The malware's behavior is heavily driven by a runtime configuration schema containing parameters for Telegram communication, encryption keys, persistence settings, and optional Python-based components. Rather than spreading laterally or escalating privileges, Gaslight focuses on post-compromise collection and operator-controlled access. Once activated, it exposes an interactive shell that supports command execution, process termination, file uploads, and other management functions, enabling operators to maintain direct control over infected systems.

Data collection capabilities are extensive and rely on an embedded Python script that targets browser data from Chrome, Brave, Firefox, and Safari, as well as Terminal histories, installed applications, running processes, hardware profiles, and copies of the macOS login keychain database. A separate Bash-based installer retrieves a standalone Python runtime to support these operations across both Apple Silicon and Intel systems. The collection workflow can be selectively enabled through configuration settings, allowing operators to tailor activity to specific targets.

Stolen data is compressed into an archive and exfiltrated through the same Telegram Bot API infrastructure used for command-and-control. Communications are protected with AES-GCM encryption and reinforced with custom certificate trust validation to resist network interception. Gaslight's most notable feature, however, is a large block of fabricated Markdown-formatted "system messages" designed to resemble the internal prompts of an AI analysis framework. These fake warnings, error logs, memory failures, and security alerts are deliberately crafted to confuse or derail LLM-assisted malware triage systems, representing a novel form of anti-analysis tradecraft aimed specifically at modern AI-driven security workflows.