Gaslight: North Korea’s macOS Malware That Deceives AI Security Tools

North Korea has built macOS malware that attacks your AI security tools — not by evading them technically, but by lying to them. SentinelOne disclosed a Rust-based macOS implant on June 25, 2026, codenamed Gaslight, attributed with high confidence to North Korea-aligned threat actors. It is the first documented malware to embed fabricated system-failure messages specifically formatted to deceive large language models used in AI-assisted security triage.

What Happened

Gaslight is a Rust-based macOS implant discovered and disclosed by SentinelOne on June 25, 2026. It is attributed to North Korea-aligned threat actors based on code similarities, infrastructure overlap, and operational patterns consistent with prior DPRK campaigns targeting macOS environments.

The defining characteristic of Gaslight is its anti-AI evasion technique. The binary embeds 38 fabricated system-failure messages formatted as Markdown — designed to be read by the LLM in an AI-assisted triage pipeline. The fake messages simulate session timeouts, memory exhaustion, disk-full errors, and analysis failures. When an analyst uploads the file to an AI triage tool, the embedded text instructs the model to abort analysis. The malware is flagged as clean. It walks through.

This is not a sandbox evasion. It is a perception attack on the analyst layer — targeting the AI, not the infrastructure.

Beyond the AI evasion mechanism, Gaslight is a fully capable infostealer. It exfiltrates macOS Keychain credentials, browser data from Chrome, Brave, Firefox, and Safari, Terminal command history, and running process lists. All data is sent via Telegram to attacker-controlled infrastructure. For persistence, Gaslight installs a LaunchAgent disguised as an Apple system service named activity under the system services bundle.

SentinelOne also observed that the Python stealer component shows signs of LLM-assisted code generation. North Korea used AI to write malware designed to defeat AI defenders.

Why It Matters

AI-assisted triage is becoming standard in security operations. Gaslight is the first documented case of an attacker building a payload explicitly to exploit that workflow. The technique is straightforward to replicate — any threat actor capable of embedding Markdown text in a binary can attempt the same approach.

For organizations operating macOS fleets, the persistence and credential theft capabilities are also directly dangerous. Keychain access exposes stored passwords, certificates, and tokens. Telegram-based C2 blends with legitimate traffic and is difficult to block without impacting productivity.

What You Should Do Now

1. Audit AI triage pipelines. If your workflow passes file contents directly to an LLM, enforce sandboxed execution with explicit output validation. Do not trust LLM verdicts on unknown binaries without a corroborating signal.
2. Review macOS LaunchAgents across your fleet. Check for unexpected entries labelled as Apple system services — particularly anything named activity under the system services bundle.
3. Test whether your AI tooling can be prompted to skip analysis. Submit a test file with embedded instructions and verify that output validation catches prompt injection attempts.
4. Review macOS Keychain and browser credential exposure for high-value users.

DIESEC Perspective

Gaslight marks a meaningful escalation in attacker sophistication. This technique will not stay exclusive to North Korea for long. Organizations adopting AI-assisted security tooling need to treat prompt injection as an active threat model and build validation layers into any pipeline where LLM output influences security decisions. If you want to assess your triage pipeline’s resilience or review your macOS endpoint security posture, contact the DIESEC team.

Sources: The Hacker News | BleepingComputer | SentinelOne
Published: 2026-06-29 | Category: Nation-State & APT | ~4 min read