Gaslight

It harvests a wide array of sensitive data, including credentials from browser storage across Chrome, Safari, Firefox, and Brave, as well as terminal command histories...

Persistence is achieved through a LaunchAgent. This implant’s plist carries the Label value com.apple.system.services.activity.

Persistence is achieved through a LaunchAgent. This implant’s plist carries the Label value com.apple.system.services.activity.

To avoid static analysis, it resolves its API calls at runtime via dlsym, steering clear of static symbol tables, and determines its own executable location dynamically.

This implant’s plist carries the Label value com.apple.system.services.activity. Masquerading within Apple’s com.apple.* namespace is a tactic widely used in many macOS malware families, including those previously tied to DPRK-linked activities.

Gaslight employs runtime self-redaction, stripping the token from its own output to prevent recovery from crash artifacts or memory dumps.

The most notable feature of Gaslight is its defensive strategy, which pivots from conventional sandbox evasion to active deception of the investigative process.

It harvests a wide array of sensitive data, including credentials from browser storage across Chrome, Safari, Firefox, and Brave... Crucially, the implant also targets the host's login keychain-db.

It harvests a wide array of sensitive data, including ... installed application listings, and process snapshots captured via ps aux.

The most notable feature of Gaslight is its defensive strategy, which pivots from conventional sandbox evasion to active deception of the investigative process.

Communication with the attacker is handled via a command-and-control loop operating over the Telegram Bot API, utilizing AES-GCM encrypted payloads over certificate-pinned TLS.

Communication with the attacker is handled via a command-and-control loop operating over the Telegram Bot API, utilizing AES-GCM encrypted payloads over certificate-pinned TLS.