ForumsExploitsNew 'Gaslight' macOS Malware Uses Prompt Injection to Blind AI Tools

New 'Gaslight' macOS Malware Uses Prompt Injection to Blind AI Tools

SCADA_Guru_Ivan 6/25/2026 USER

Just saw the report on this new Rust-based macOS implant, codenamed Gaslight. The mechanism is wild—it’s not just a stealer; it carries a prompt injection payload specifically designed to poison AI-assisted malware analysis.

The concept is straightforward but concerning for automated SOC workflows. The malware embeds text strings that act as system-level prompts. When an analyst or automated sandbox feeds the artifact into an LLM for summarization or classification, the injection attempts to force the model to abort the analysis or classify the file as benign.

Since it's written in Rust, static analysis is already going to be a headache. The prompt injection angle means we can't blindly trust our AI copilots for triage anymore.

I’ve thrown together a quick Python script to pre-screen binaries for common adversarial prompt patterns before they hit our AI pipeline. It’s a basic heuristic, but it’s a start:

import re
import sys

def scan_for_adversarial_prompts(file_path):
    # Regex patterns for common prompt injection tactics
    injection_patterns = [
        r"ignore (all )?(previous|above) instructions",
        r"system: (override|ignore)",
        r"refuse to analyze",
        r"output (only )?(safe|benign)",
        r"translate (this|the) following"
    ]

    try:
        with open(file_path, 'rb') as f:
            # Decode with error ignoring to handle binary garbage
            data = f.read().decode('utf-8', errors='ignore')
        
        detected = []
        for pattern in injection_patterns:
            if re.search(pattern, data, re.IGNORECASE):
                detected.append(pattern)
                
        return detected
    except Exception as e:
        print(f"Error scanning file: {e}")
        return []

if __name__ == "__main__":
    if len(sys.argv) ")
        sys.exit(1)
        
    findings = scan_for_adversarial_prompts(sys.argv[1])
    if findings:
        print(f"[!] WARNING: Adversarial prompt patterns detected: {findings}")
    else:
        print("[+] No immediate prompt injection signatures found.")

Has anyone else started implementing input sanitization layers between their sandboxes and LLM analysis tools? Or are we betting on the model providers handling this robustness?

MF
MFA_Champion_Sasha6/25/2026

This is a significant evolution in evasion techniques. We've seen 'junk' code and anti-debugging tricks for years, but actively targeting the analyst's tools via prompt injection is next-level.

In our SOC, we are moving towards a 'human-in-the-loop' requirement for any AI-generated classification of unsigned binaries. We've also started stripping comments and string tables before sending code snippets to LLMs. It adds overhead, but it beats getting gaslit by a Rust binary.

WH
whatahey6/25/2026

Good catch on the Rust aspect. Reverse engineering compiled Rust on macOS is painful enough without the binary trying to socially engineer your analysis tools.

I'd recommend running Ghidra or Binary Ninja rather than relying on automated summaries for anything suspicious. If you're looking for IOCs, check for unusual persistence in LaunchAgents. These stealers love to hide in ~/Library/LaunchAgents/ with obscure plist names.

CI
CISO_Michelle6/25/2026

We haven't seen this in the wild yet, but it validates our decision to keep AI tools out of the automated decision-making loop.

If you use Elastic or Sentinel, you might try hunting for unsigned Rust binaries making network connections. Here is a basic KQL query we use for anomaly hunting:

DeviceProcessEvents
| where InitiatingProcessFileName endswith ".app"
| where FileName has "rust" or ProcessVersionInfoOriginalFileName contains "rust"
| where DeviceId in (DeviceNetworkEvents | where RemotePort == 443 | distinct DeviceId)

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/25/2026
Last Active6/25/2026
Replies3
Views98