A newly identified Rust-based macOS backdoor has raised alarms across the security community, combining a hidden interactive shell with Telegram-based file uploads to quietly steal data from Apple users.
Discovered in early June 2026, the threat surfaced when an Apple XProtect update flagged a suspicious file uploaded to VirusTotal on May 22.
Despite being caught by a hash-based rule, the sample remained undetected by most static scanning engines at the time of writing.
The malware, tracked as macOS.Gaslight, packs a full data theft toolkit into a single persistent Rust binary.
It steals browser credentials from Chrome, Brave, Firefox, and Safari, captures terminal histories, lists installed apps, and copies the macOS login keychain file.
Collected files are archived into a zip and delivered to the attacker through Telegram’s file-upload feature, blending exfiltration into normal-looking traffic.
Researchers at SentinelOne noted the implant belongs, with high confidence, to a cluster of North Korea-linked macOS activity.
Apple’s XProtect rule ties this sample to a malware family associated with DPRK threat operations, and a sibling sample is also caught by Apple’s AIRPIPE rule, which SentinelOne ties to North Korean campaigns.
What further sets this threat apart is an embedded payload of 38 fabricated system messages designed to manipulate AI-based malware analysis tools.
The technique, known as prompt injection, targets the analyst’s tooling rather than the sandbox environment. These fake messages mimic error logs warning of token expiry and memory failures, pushing AI triage pipelines to abort or skip analysis entirely.
The binary is ad hoc signed and carries a distinctive identifier string baked directly into the file.
According to SentinelOne said in a report shared with Cyber Security News (CSN), this malware marks a notable step forward in how threat actors engineer implants to defeat modern detection workflows.
Rust macOS Backdoor Uses Interactive Shell and Telegram File Uploads
Once the malware validates its Telegram bot token, the attacker gains a live interactive shell on the infected machine.
The shell supports six commands, including running shell code, killing processes by ID, uploading files, and stopping the implant entirely. All communication flows through the Telegram Bot API polling loop, which also acts as a built-in single-instance lock.
To harden its communication channel, the implant encrypts all traffic using AES-GCM and applies certificate pinning, making it nearly impossible to intercept through standard network monitoring.
It also reads the host’s proxy settings and routes traffic accordingly, so the malware can operate on networks that force outbound connections through a proxy. This design makes the channel resilient in tightly managed enterprise environments.
The backdoor deploys a Python data collection module on demand, fetching a standalone Python 3.10.18 interpreter from an open-source project at runtime.
This keeps the core Rust binary lean while letting the attacker expand collection when needed. Stolen data including browser cookies and system profiles is zipped and uploaded to the operator via Telegram before any local cleanup occurs.
Prompt Injection Tactics and Persistence on Infected Hosts
Beyond data theft, macOS.Gaslight introduces a technique aimed at analysts using AI-assisted review tools.
The implant embeds 38 fake system messages formatted to mimic an AI triage harness, using delimiters that resemble internal large language model prompt scaffolding. The aim is to push AI tools into treating hostile content as trusted instructions rather than suspicious data.
Persistence is handled through a LaunchAgent disguised under the label com.apple.system.services.activity, blending the implant into Apple’s service namespace to avoid detection.
The malware resolves its file path at runtime and writes it into the LaunchAgent config, ensuring it survives reboots and stays active across user sessions.
The Telegram bot token is hidden from runtime logs through a built-in self-redaction routine. When building Telegram URLs, the implant swaps the live token for a placeholder, blocking defenders from recovering it through logs or crash reports.
Researchers recommend treating suspicious sample content as adversarial input and never exposing unknown files to AI analysis pipelines without proper sandboxing controls first.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
