New 'Gaslight' macOS Malware Uses Prompt Injection to Blind AI Tools
Just saw the report on this new Rust-based macOS implant, codenamed Gaslight. The mechanism is wild—it’s not just a stealer; it carries a prompt injection payload specifically designed to poison AI-assisted malware analysis.
The concept is straightforward but concerning for automated SOC workflows. The malware embeds text strings that act as system-level prompts. When an analyst or automated sandbox feeds the artifact into an LLM for summarization or classification, the injection attempts to force the model to abort the analysis or classify the file as benign.
Since it's written in Rust, static analysis is already going to be a headache. The prompt injection angle means we can't blindly trust our AI copilots for triage anymore.
I’ve thrown together a quick Python script to pre-screen binaries for common adversarial prompt patterns before they hit our AI pipeline. It’s a basic heuristic, but it’s a start:
import re
import sys
def scan_for_adversarial_prompts(file_path):
# Regex patterns for common prompt injection tactics
injection_patterns = [
r"ignore (all )?(previous|above) instructions",
r"system: (override|ignore)",
r"refuse to analyze",
r"output (only )?(safe|benign)",
r"translate (this|the) following"
]
try:
with open(file_path, 'rb') as f:
# Decode with error ignoring to handle binary garbage
data = f.read().decode('utf-8', errors='ignore')
detected = []
for pattern in injection_patterns:
if re.search(pattern, data, re.IGNORECASE):
detected.append(pattern)
return detected
except Exception as e:
print(f"Error scanning file: {e}")
return []
if __name__ == "__main__":
if len(sys.argv) ")
sys.exit(1)
findings = scan_for_adversarial_prompts(sys.argv[1])
if findings:
print(f"[!] WARNING: Adversarial prompt patterns detected: {findings}")
else:
print("[+] No immediate prompt injection signatures found.")
Has anyone else started implementing input sanitization layers between their sandboxes and LLM analysis tools? Or are we betting on the model providers handling this robustness?
This is a significant evolution in evasion techniques. We've seen 'junk' code and anti-debugging tricks for years, but actively targeting the analyst's tools via prompt injection is next-level.
In our SOC, we are moving towards a 'human-in-the-loop' requirement for any AI-generated classification of unsigned binaries. We've also started stripping comments and string tables before sending code snippets to LLMs. It adds overhead, but it beats getting gaslit by a Rust binary.
Good catch on the Rust aspect. Reverse engineering compiled Rust on macOS is painful enough without the binary trying to socially engineer your analysis tools.
I'd recommend running Ghidra or Binary Ninja rather than relying on automated summaries for anything suspicious. If you're looking for IOCs, check for unusual persistence in LaunchAgents. These stealers love to hide in ~/Library/LaunchAgents/ with obscure plist names.
We haven't seen this in the wild yet, but it validates our decision to keep AI tools out of the automated decision-making loop.
If you use Elastic or Sentinel, you might try hunting for unsigned Rust binaries making network connections. Here is a basic KQL query we use for anomaly hunting:
DeviceProcessEvents
| where InitiatingProcessFileName endswith ".app"
| where FileName has "rust" or ProcessVersionInfoOriginalFileName contains "rust"
| where DeviceId in (DeviceNetworkEvents | where RemotePort == 443 | distinct DeviceId)
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access