New Gaslight malware uses prompt injection to evade AI analysis
2026-07-03 • Moonlock •
North Korean operators are linked to Gaslight, a Rust-based macOS stealer and backdoor analyzed by SentinelOne and covered by Moonlock. The malware collects browser data, Terminal command histories, installed-application and process lists, system profile data, and a copy of the encrypted macOS login keychain, then uses a hardened Telegram bot channel for command execution and exfiltration. Gaslight also embeds 38 fabricated plaintext “system” messages intended to mislead AI-assisted malware triage with fake errors such as timeouts, crashes, and token-logic issues. The delivery context matches prior DPRK macOS targeting of developers, Web3, gaming, and fake job or meeting lures, though Moonlock notes this sample does not aggressively target crypto wallets directly.