gbhackers.com • 1w
Gaslight Malware: Adversarial Prompt Injection Targeting macOS and LLM-Based SOC Triage
Gaslight (macOS.Gaslight) is a Rust-based backdoor attributed to North Korean (DPRK) state-sponsored actors, designed for browser credential harvesting from Chrome, Brave, Firefox, and Safari on macOS. The implant utilizes the Telegram Bot API for command-and-control (C2) communications. Its primary innovation is the integration of 38 adversarial prompt injection strings embedded within the binary. These strings are engineered to deceive Large Language Models (LLMs) used by SOC analysts during triage, inducing AI refusals or hallucinated benign classifications to bypass automated analysis and extend attacker dwell time. Detection was initially facilitated by an Apple XProtect update.