macOS.Gaslight
macOS.Gaslight is a Rust-based macOS implant and infostealer with persistence, remote shell access, and Telegram-based command-and-control and exfiltration. SentinelLABS assessed with high confidence that it belongs to a DPRK-aligned/North Korea-linked macOS activity cluster, and Apple XProtect linked the sample to the BONZAI family, with related overlap to AIRPIPE. The malware was surfaced in early June 2026 after an Apple XProtect update flagged a sample uploaded to VirusTotal on 2026-05-22.
The implant uses the Telegram Bot API getUpdates polling loop for C2 and returns stolen data via Telegram file upload. Communications are protected with AES-GCM encryption, fresh nonces, certificate-pinned TLS, and proxy-aware networking. It also treats Telegram Conflict responses as a single-instance lock. Operator configuration, including the Telegram bot token, chat ID, and AES key, is supplied at runtime rather than embedded in the sample.
Capabilities described in the content include an interactive shell supporting commands such as help, id, shell, kill, upload, and stop; process termination; file upload; and stopping the implant. It can also deploy a Python-based collection module on demand. The Python stealer harvests browser data and credentials from Chrome, Brave, Firefox, and Safari; terminal histories; installed applications; running process information; system_profiler output; and a raw copy of login.keychain-db. Collected artifacts are archived to temp/collected_data.zip before exfiltration.
Persistence is achieved through a LaunchAgent labeled com.apple.system.services.activity, masquerading as an Apple service. The implant resolves its own executable path at runtime and writes that path into the LaunchAgent configuration. It also creates a power-management assertion to prevent system sleep during long-running activity. A separate embedded bash installer fetches a standalone CPython 3.10.18 runtime for both arm64 and x86_64 macOS.
A notable feature is an embedded 3.5 KB prompt-injection payload containing 38 fabricated system messages intended to manipulate LLM-assisted malware triage pipelines into aborting, truncating, or refusing analysis. The malware also includes a self-redaction routine that replaces the live Telegram bot token with a placeholder in certain runtime output.
High-confidence indicators mentioned in the content include the main Mach-O sample SHA-256 6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525, the Python payload SHA-256 baabf249c77bc54c54ab0e66e15af798bd28aa5b4683554456a8b73ab8741239, the bash installer SHA-256 b3c56d689414343589f38394d19ba2fe9a518133281200faa0556ba4e4136394, the sibling BONZAI sample SHA-256 77b4fd46994992f0e57302cfe76ed23c0d90101381d2b89fc2ddf5c4536e77ca, the LaunchAgent label com.apple.system.services.activity, and the ad hoc signing identifier endpoint-macos-aarch64-5555494492fc075f441637fb9d894913dde3a2ea.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
3 techniques
Execution
Persistence is handled through a LaunchAgent disguised under the label com.apple.system.services.activity, blending the implant into Apple’s service namespace to avoid detection.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
It resolves its API calls at runtime through dlsym so as to avoid embedding them in the static symbol table
Credential Access
3 techniques
Credential Access
Discovery
4 techniques
Discovery
It steals browser credentials from Chrome, Brave, Firefox, and Safari, captures terminal histories, lists installed apps...
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
The implant’s command-and-control channel is a Telegram Bot API getUpdates polling loop.
It also reads the host’s proxy settings and routes traffic accordingly, so the malware can operate on networks that force outbound connections through a proxy.
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Rust-based macOS backdoor that steals browser credentials, terminal histories, installed app listings, and the macOS login keychain file; provides an interactive shell; deploys a Python data collection module on demand; exfiltrates archived data via the Telegram Bot API; and persists via a disguised LaunchAgent.
A Rust-based macOS implant and infostealer with Telegram Bot API command-and-control, AES-GCM encrypted payloads over certificate-pinned TLS, an interactive shell, LaunchAgent persistence, and a staged Python collection module that steals browser data, command histories, installed apps, process listings, system profiles, and login.keychain-db. It also includes analyst-targeting prompt-injection content intended to disrupt LLM-assisted malware triage.
A Rust-based macOS implant and infostealer that uses Telegram Bot API polling for C2, AES-GCM over pinned TLS for protected communications, provides an interactive shell, establishes LaunchAgent persistence, and can stage a Python-based collection module to steal browser data, terminal histories, process and system information, and login.keychain-db. It also embeds a prompt-injection payload intended to disrupt LLM-assisted malware triage.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.