Security/ security · macos · malware · ai

macOS Malware Hides Fake AI Prompts to Stop Security Scans

A newly documented macOS backdoor called Gaslight embeds fake system messages to trick LLM-assisted triage tools into abandoning analysis.

Malware authors have started writing prompt injection attacks aimed at the AI tools defenders use to investigate threats.

SentinelOne published research this week on a macOS strain it named Gaslight. On the surface, it is a routine backdoor: it spreads via phishing, phones home over Telegram, and delivers a second-stage infostealer capable of lifting passwords, cryptocurrency wallet data, and sensitive files. What separates it is a large block of fake Markdown-formatted "system" messages embedded directly in the binary. These messages claim things like the analysis environment is out of memory, the AI's authentication token has expired, or that static analysis is unsafe. A human analyst would spot the ruse immediately. An LLM-assisted triage pipeline that treats sample content as trusted input might not.

The wider implication is that the attack surface for AI-assisted security tooling just expanded in a direction most teams have not defended. Prompt injection is already a documented problem in web apps and email clients, but injecting adversarial instructions into a malware binary itself is a meaningful escalation - it targets the analyst's workflow rather than the end user's machine. As SentinelOne notes, defenders should expect more samples built this way as LLM-assisted reverse engineering becomes routine.

The fix is architectural, not cosmetic: AI triage pipelines need to treat every byte of a malware sample as untrusted input, fully isolated from anything that could be interpreted as a system instruction. That is standard practice for web input sanitization and it should have been standard here from the start.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →