A newly identified Rust-based macOS backdoor has raised alarms across the security community, combining a hidden interactive shell with Telegram-based file uploads to quietly steal data from Apple users. Discovered in early June 2026 after Apple’s XProtect flagged a suspicious file on VirusTotal, the malware — tracked as macOS.Gaslight — has been attributed with high confidence to North Korean state-sponsored threat actors by researchers at SentinelOne.
A North Korean macOS Implant
Apple’s XProtect rule ties the macOS.Gaslight sample to a malware family associated with DPRK threat operations. A sibling sample is also caught by Apple’s AIRPIPE rule, which SentinelOne associates with North Korean campaigns. The implant packs a full data theft toolkit into a single persistent Rust binary, targeting macOS users likely in corporate and developer environments.
The malware steals browser credentials from Chrome, Brave, Firefox, and Safari, captures terminal history files, lists installed applications, and copies the macOS login keychain file. Collected data is archived into a ZIP and delivered to the attacker through Telegram’s file-upload API — blending exfiltration into traffic that resembles normal application use.
Telegram as Command-and-Control
Once the malware validates its embedded Telegram bot token, the attacker gains a live interactive shell on the infected machine. The shell supports six commands: running arbitrary shell code, killing processes by ID, uploading files, and stopping the implant. All communication flows through a Telegram Bot API polling loop, which also acts as a built-in single-instance lock preventing duplicate execution.
To harden its communication channel, the implant encrypts all traffic using AES-GCM and applies certificate pinning — making it nearly impossible to intercept through standard network monitoring tools. It also reads the host’s proxy settings and routes traffic accordingly, so the malware operates on tightly managed enterprise networks that force outbound connections through a proxy.
On-Demand Python Data Collection Module
The backdoor deploys a Python data collection module on demand, fetching a standalone Python 3.10.18 interpreter from an open-source project at runtime. This keeps the core Rust binary lean and minimizes its initial signature footprint, while letting the operator expand collection capabilities when needed. Stolen browser cookies and system profiles are zipped and uploaded through Telegram before any local cleanup occurs.
Prompt Injection Against AI Analysis Tools
Beyond data theft, macOS.Gaslight introduces a novel technique aimed at defeating AI-assisted malware analysis. The implant embeds 38 fabricated system messages formatted to mimic an AI triage harness, using delimiters that resemble internal large language model prompt scaffolding. The aim is to push AI analysis tools into treating the hostile content as trusted instructions — causing automated triage pipelines to abort, misclassify, or skip the sample entirely.
This technique, known as prompt injection, targets the analyst’s tooling rather than the sandbox environment itself. SentinelOne researchers note this marks a notable evolution in how threat actors engineer implants to defeat modern detection workflows that rely on AI-assisted analysis.
Persistence and Operational Security
Persistence is handled through a LaunchAgent disguised under the label com.apple.system.services.activity, blending the implant into Apple’s own service namespace to avoid detection. The malware resolves its own file path at runtime and writes it into the LaunchAgent configuration, ensuring it survives reboots and remains active across user sessions.
The Telegram bot token is hidden from runtime logs through a built-in self-redaction routine. When building Telegram URLs, the implant swaps the live token for a placeholder, blocking defenders from recovering it through logs or crash dumps.
Indicators of Compromise
- Main sample SHA-256: 6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525
- Sibling BONZAI sample: 77b4fd46994992f0e57302cfe76ed23c0d90101381d2b89fc2ddf5c4536e77ca
- Python stealer payload: baabf249c77bc54c54ab0e66e15af798bd28aa5b4683554456a8b73ab8741239
- LaunchAgent label: com.apple.system.services.activity
- Binary identifier: endpoint-macos-aarch64-5555494492fc075f441637fb9d894913dde3a2ea
Defensive Recommendations
macOS users and security teams should monitor for unexpected LaunchAgent entries in ~/Library/LaunchAgents/ that use Apple-like naming conventions such as com.apple.system.*. Unusual network traffic to Telegram’s Bot API from endpoints that do not legitimately use Telegram should trigger investigation. Security analysts using AI-assisted tools should treat all content in suspicious sample files as potentially adversarial — never exposing unknown files directly to LLM analysis pipelines without proper sandboxing controls.
Source: Cyber Security News, June 25, 2026. Original research by SentinelOne Labs.