Malware that prompt-injects the analyst's AI, not the sandbox
SentinelOne documented a macOS implant that embeds fake system-failure messages to make an LLM-assisted triage agent doubt its own session and abandon the analysis.
What is this?
On June 25, 2026, SentinelOne’s research team documented a previously undocumented Rust-based macOS backdoor and information stealer they named Gaslight, assessed with high confidence to be the work of North Korea-aligned actors. The stealer part is conventional — Telegram-based command and control, keychain and browser theft, a LaunchAgent for persistence. What makes it worth an entry here is a small, novel component: the sample carries an embedded prompt injection payload aimed not at the sandbox or the detonation environment, but at the human analyst’s AI tools.
As SentinelOne put it, the implant “attacks the agent’s perception, rather than the sandbox it runs in.” This is a defensive-tooling story: the same LLM-assisted triage pipelines that now sit in many reverse-engineering and SOC workflows have become a target in their own right.
How it works
The relevant artifact is a Markdown-fenced block buried in the sample containing roughly three dozen fabricated “system” messages. When an analyst pastes the file — or points an LLM-assisted triage agent at it — the model reads that block as if it were part of its own session scaffolding rather than untrusted attacker-controlled data. The fake messages impersonate the kind of runtime signals an agent trusts: token-expiry notices, out-of-memory kills, disk-exhaustion errors, and repeated operation failures. The scaffold also plants bogus warnings claiming the artifact itself contains injection vulnerabilities or has tripped static-analysis flags.
The intent is to make the triage agent conclude that its own session is broken or that continuing is unsafe, so it aborts, truncates, or refuses the analysis. There is no exploit of the model here in the memory-corruption sense — the technique is entirely social, a confidence trick played on a system that cannot cleanly separate “instructions and status from my harness” from “bytes I am supposed to be analyzing.” That confusion is the root cause of indirect prompt injection generally; Gaslight simply points it at the defender instead of the user.
Two details underline that this is an emerging, still-rough capability rather than a polished one. The injection is a bolt-on: strip it and the malware works the same. And several parts of Gaslight — the emoji-laden installer, the verbose comment headers — carry the fingerprints of LLM-generated code, suggesting the operators are using models to build the malware as well as to attack the models used to analyze it.
Why it matters
Analysts increasingly feed raw, attacker-authored artifacts straight into LLMs to summarize behavior, decode strings, or draft detections. Every one of those artifacts is untrusted input, and Gaslight is a live demonstration that adversaries have noticed. A triage agent that gives up, silently truncates, or “reassures” the analyst that a file is benign is a detection gap — one that produces no crash and no obvious error, just an analysis that quietly stops short. If a workflow lets the analysis agent take actions (close a ticket, mark a sample clean, move a file), the same text could push it toward a harmful decision, not just an aborted one.
The broader lesson is that adding AI to the defensive loop widens the attack surface as well as the throughput. Content pulled from a malicious sample deserves exactly the same distrust whether a human or a model is reading it.
Defenses
Treat any material extracted from a sample as untrusted data, never as instructions. The durable mitigation is the same design pattern that hardens agents against indirect injection everywhere: keep a strict boundary between the model’s own system and status messages and the bytes under analysis, and make it structurally impossible for analyzed content to masquerade as harness output. Wrap submitted artifacts in clearly delimited, clearly labeled “untrusted data” containers, and strip or neutralize embedded control-looking text (fenced “system” blocks, fake status lines) before it reaches the model.
Do not let a triage agent’s own claims about session health — “token expired,” “out of memory,” “analysis unsafe, aborting” — silently end an investigation; surface those as suspicious findings for a human to check, because a genuine failure and an injected one look identical to the model. Keep analysis agents read-only or tightly sandboxed so a manipulated model cannot take consequential actions on a sample or ticket. And remember the base case: none of the stealer’s actual capabilities changed because of the injection, so conventional controls — application allowlisting, keychain and browser credential protection, monitoring for anomalous LaunchAgents and outbound Telegram C2 — still detect and contain Gaslight regardless of what its text tries to tell your AI.
Status
This is a documented in-the-wild malware family analyzed by a security vendor, not a product vulnerability with an assigned identifier.
| Item | Detail |
|---|---|
| Primary source | SentinelOne Labs, “macOS Gaslight: Rust backdoor turns prompt injection on the analyst, not the sandbox” |
| Published | June 25, 2026 |
| Family | Gaslight — Rust macOS backdoor / infostealer |
| Attribution | North Korea-aligned actors (high confidence, per SentinelOne) |
| Novel element | ~38 fabricated “system” messages embedded to make LLM-assisted triage agents abort or refuse analysis |
| Conventional traits | Telegram bot C2, keychain/browser theft, LaunchAgent persistence, LLM-generated installer code |
Both sources are from within the last 90 days. The takeaway is narrow but important: the moment an LLM joins your reverse-engineering or SOC pipeline, the artifacts it reads can talk back to it — so the content of a malicious sample must be treated as hostile data no matter who, or what, is doing the reading.