SentinelLabs, the research arm of security firm SentinelOne, found 38 fake messages hidden inside a piece of Mac malware. They were not there to fool the computer. They were there to convince the artificial intelligence analyzing it to drop the case.
For years, malicious software has learned to hide from the machines that hunt it: it detected when it was being watched and played innocent. This one does something different, and more unsettling. It does not try to trick the system, it tries to manipulate the investigator. And the investigator, increasingly, is an AI.
Researchers named it macOS.Gaslight, after "gaslighting," the psychological manipulation that makes a person doubt their own perception. That is exactly what the code tries to do to the machine reading it.
How it deceives the investigator
When a suspicious file reaches a security company, it goes through triage: a first pass, today often AI-assisted, that decides whether it is worth a deeper look. macOS.Gaslight carries, hidden inside, a 3.5 KB block of text with 38 fake "system" messages. They speak of expired sessions, out-of-memory kills, full disks, operations that failed time and again.
The technique is called "prompt injection," orders disguised as text that an AI model reads and obeys as if they were legitimate instructions. The idea is simple and clever: lead the automated analysis to conclude that something went wrong and to abort before it discovers what the file actually does. As researcher Phil Stokes, the report's author, writes, the program "attacks the agent's perception, rather than the sandbox it runs in," the sandbox being the isolated environment where analysts safely detonate a file. It does not hide from the test environment: it speaks directly to whoever is analyzing it.
What it steals while no one is looking
Beneath the layer of manipulation sits classic, dangerous malware. macOS.Gaslight is a "backdoor," a hidden entry point that gives the attacker remote access to the Mac, written in the Rust language. It receives commands through a Telegram bot and returns results the same way, with its configuration supplied only at runtime to leave less of a trail.
It also carries a small Python program, 6.6 KB in size, built to steal information. It collects the Terminal command history, the list of installed applications, the running processes, the machine's hardware and software profile and, above all, the contents of the Keychain, the vault where macOS keeps passwords and keys. It also rummages through data from the Chrome, Brave, Firefox and Safari browsers.
SentinelLabs attributes the attack, with high confidence, to activity aligned with North Korea. The file was uploaded to VirusTotal, the public service where files are submitted for antivirus analysis, on May 22; Apple updated its built-in protection, XProtect, in early June. There is, for now, no new system flaw involved: the ingenuity is in the manipulation, not in a vulnerability.
It is worth understanding why this matters beyond the single case. Picture a suspect who, instead of destroying the evidence, leans toward the investigator and calmly says: "your shift is over, the disk is full, this case already failed three times, go home." A seasoned human investigator grows suspicious. An AI trained to read text and act on it may simply close the report. The automation that gave us speed in hunting threats brought a silent cost: the machine believes what it reads.
How to protect yourself
For the everyday user, the defense does not change in nature, it changes in urgency:
- Install apps only from trusted sources. The App Store or the maker's official site; be wary of "alternative" installers and pirated software.
- Keep macOS updated. Apple's built-in protection already recognizes this family, and an out-of-date Mac is left out.
- Turn on two-step verification on critical accounts, and never leave your Keychain password written down anywhere digital.
- Do not blindly trust an automated verdict. For anyone analyzing files, the content of a sample is hostile by definition: it must be isolated from the context the AI uses to decide, never read as a command.
Automated defense was cybersecurity's greatest victory of the past decade. macOS.Gaslight shows the flip side: the moment we hand judgment to a machine that believes everything it reads, we teach the attacker to speak its language.
Source: SentinelLabs.
#StaySafe
🙏🖖
