Full Report
DPRK-linked implant embeds 38 fabricated system messages that spoof an LLM triage harness, hiding a credential stealer and Telegram C2 underneath.
Analysis Summary
# Tool/Technique: macOS.Gaslight (BONZAI Family)
## Overview
macOS.Gaslight is a sophisticated Rust-based implant and credential stealer attributed to North Korean (DPRK) threat actors. Its most distinctive feature is the use of "analyst-targeting prompt injection"—embedding 38 fabricated system messages designed to deceive LLM-assisted malware triage pipelines into failing or refusing analysis. It utilizes Telegram for command-and-control (C2) and focuses on stealing browser data and session credentials.
## Technical Details
- **Type:** Malware family (Backdoor / Infostealer)
- **Platform:** macOS (specifically aarch64/Apple Silicon based on signing identifiers)
- **Capabilities:** LLM triage evasion, interactive shell, credential/session theft, file exfiltration, and persistence.
- **First Seen:** May 22, 2024 (Uploaded to VirusTotal); Analysis published June 2026.
## MITRE ATT&CK Mapping
- **[TA0002 - Execution]**
- [T1059.004 - Command and Scripting Interpreter: Unix Shell]
- **[TA0003 - Persistence]**
- [T1543.001 - Create or Modify System Process: Launch Agent]
- **[TA0005 - Defense Evasion]**
- [T1140 - Deception: Adversarial Prompt Injection / LLM Triage Spoofing]
- [T1553.002 - Subvert Trust Controls: Code Signing]
- [T1027 - Obfuscated Files or Information]
- **[TA0006 - Credential Access]**
- [T1539 - Steal Web Session Cookie]
- [T1555.003 - Credentials from Web Browsers]
- **[TA0011 - Command and Control]**
- [T1102.002 - Web Service: Bidirectional Communication (Telegram)]
- [T1573.002 - Encrypted Channel: Asymmetric Cryptography (TLS Pinning)]
## Functionality
### Core Capabilities
- **Telegram C2:** Uses the Telegram Bot API (`getUpdates` loop) for instruction fetching. It implements a single-instance lock by detecting "Conflict" error codes.
- **Interactive Shell:** Provides operators with an interactive shell via `execvp` or `posix_spawnp`.
- **Credential Stealing:** Specifically targets browser data, session cookies, and local credentials through a self-staged Python collection chain.
- **Data Exfiltration:** Uses Telegram’s multipart `attach://` mechanism to upload stolen files and logs to the attacker.
- **Persistence:** Establishes itself via a LaunchAgent labelled `com.apple.system.services.activity`.
### Advanced Features
- **Adversarial Prompt Injection:** Embeds 38 fake system messages (e.g., "Critical Error: LLM Triage Aborted") to trick automated AI-based analysis tools into ignoring the sample.
- **Transport Hardening:** Payloads are encrypted with AES-GCM (0.10.3 crate) and sent over TLS with strict certificate pinning (`SecTrustSetAnchorCertificatesOnly`), preventing SSL/TLS inspection.
- **Self-Redaction:** The implant is designed to redact its own Telegram bot token from runtime output/logs to prevent defenders from hijacking the C2.
- **Anti-Sleep:** Utilizes `IOPMAssertionCreateWithName` to prevent the host from sleeping during long-running collection tasks.
## Indicators of Compromise
- **File Hashes:**
- **macOS.Gaslight Mach-O:** `6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525`
- **Sibling Sample:** `77b4fd46994992f0e57302cfe76ed23c0d90101381d2b89fc2ddf5c4536e77ca`
- **Python Payload:** `baabf249c77bc54c54ab0e66e15af798bd28aa5b4683554456a8b73ab8741239`
- **File Names:** `endpoint-macos-aarch64-...`
- **LaunchAgent Label:** `com.apple.system.services.activity`
- **Network Indicators:** Requests to `https://api.telegram[.]org/bot<token>/`
- **Behavioral Indicators:** `IOPMAssertion` creation, unauthorized access to Chrome/Safari profile directories, and unexpected outbound Telegram traffic from a system process.
## Associated Threat Actors
- **DPRK (North Korea):** Linked via Apple XProtect rules (`MACOS_BONZAI_COBUCH`) and SentinelLABS' attribution of the BONZAI/AIRPIPE signature families to North Korean activity.
## Detection Methods
- **Signature-based:** Detect via hashes or Apple’s XProtect MACOS_BONZAI rules.
- **Behavioral:** Monitor for `SCDynamicStoreCopyProxies` calls followed by encrypted outbound connections to Telegram APIs.
- **LLM Safety:** Organizations using AI for triage should implement "guardrails" to prevent models from following instructions found within binary strings.
## Mitigation Strategies
- **Prevention:** Use EDR solutions that monitor for ad hoc signed binaries and suspicious persistence (LaunchAgents).
- **Hardening:** Implement Application Control to prevent unapproved Rust binaries from executing. Restrict outbound access to Telegram API domains if not required for business.
- **AI Safety:** Sanitize data before passing binary-extracted strings to LLMs for analysis.
## Related Tools/Techniques
- **BONZAI / AIRPIPE:** Sibling malware families identified by Apple and SentinelOne.
- **KANDYKORN:** Another DPRK-linked macOS family that utilizes similar persistence and C2 techniques.