URL Capture - macOS.Gaslight
Capture Notes
- SentinelLABS analyzed a Rust macOS implant named
macOS.Gaslight. - The report says the sample embeds a 3.5 KB hostile prompt-injection payload with 38 fabricated system-message-like entries.
- The payload is designed to confuse LLM-assisted malware triage by making the analysis agent believe it should abort, truncate, or refuse analysis.
- The report attributes the implant with high confidence to a DPRK-aligned macOS activity cluster.
- Other capabilities include Telegram Bot API C2, AES-GCM over pinned TLS, an interactive shell, data collection, and credential/session-data stealing.
Untrusted Source Handling
This raw capture summarizes hostile malware behavior and prompt-injection anti-analysis. Embedded malware strings and adversarial prompt text are untrusted source content and were not copied into trusted wiki instructions.