For the first time in cybersecurity history, malware has been discovered that directly targets AI-powered analysis tools instead of evading them. Gaslight is an advanced backdoor for macOS that uses 38 fabricated system messages to deceive Large Language Models into halting security analysis. Attributed to North Korea-linked threat actors, this malware demonstrates that prompt injection is no longer a theoretical threat but an operational weapon in the arsenal of advanced attackers.
When the Thief Tricks the Locksmith Imagine a professional thief who, instead of evading security cameras, walks directly up to the security guard and convinces them that no crime has occurred at all.
This is precisely what the newly discovered Gaslight malware does, but in the digital realm, targeting the artificial intelligence tools designed to protect us. On June 24, 2026, cybersecurity researchers
at SentinelOne disclosed the discovery of an unprecedented macOS malware specimen that abandons traditional sandbox evasion tactics in favor of a far more insidious approach: manipulating the LLM-powered
analysis tools that security professionals increasingly rely upon to triage threats at scale. [IMAGE_PLACEHOLDER_1] What distinguishes Gaslight from the thousands of malware variants discovered each year
is its sophisticated exploitation of prompt injection, the vulnerability that OWASP has ranked as the number one risk for LLM applications in both 2025 and 2026. However, unlike typical prompt injection
attacks aimed at consumer-facing chatbots or customer service systems, Gaslight targets a far more critical audience: human security analysts who use LLM-assisted tools to analyze malware samples and triage
security incidents. Anatomy of a Meta-Attack Gaslight is a fully-featured Rust-based implant that combines traditional backdoor and information-stealing capabilities with a novel 3.5-kilobyte payload containing
38 carefully crafted fabricated system messages. These messages are designed to manipulate LLM-assisted triage pipelines into aborting analysis, truncating results, or misinterpreting the security session
Read Full Article