macOS.Gaslight Rust Backdoor Uses Prompt Injection to Mislead LLM‑Assisted Triage
What Happened — SentinelOne Labs uncovered a macOS implant written in Rust that carries a 3.5 KB payload of fabricated “system” messages. The payload is designed to inject prompts into an LLM‑assisted triage pipeline, causing the analysis engine to abort or refuse the sample. Command‑and‑control traffic is tunneled through a Telegram Bot API polling loop, with AES‑GCM‑encrypted payloads and certificate‑pinned TLS.
Why It Matters for Compliance & Audit Readiness
- The implant demonstrates how a malicious binary can bypass traditional sandboxing by targeting the analyst’s tooling, highlighting gaps in SOC 2 Access Controls and monitoring of privileged analyst workstations.
- Continuous evidence collection (e.g., logging of LLM‑assistant interactions, C2 traffic, and token redaction) is essential to prove that access‑control policies are enforced and that anomalous behavior is detected in real time.
- The scenario aligns with the SOC 2 CC6.1 “Logical Access Controls” requirement: organizations must restrict and monitor access to systems that process security‑related data, and retain verifiable audit trails.
Who Is Affected — Technology‑SaaS providers, cloud‑infrastructure operators, endpoint‑security vendors, and any organization that relies on LLM‑driven security automation for incident response.
Recommended Actions
- Map the incident to SOC 2 CC6.1 – verify that logical‑access policies cover analyst workstations and that privileged‑access logs are immutable.
- Implement strict input validation for any LLM‑assisted tooling; treat LLM prompts as untrusted data.
- Enable continuous C2 monitoring (e.g., outbound TLS to Telegram endpoints) and retain encrypted traffic logs as audit evidence.
- Update security‑awareness training to include adversarial prompt‑injection techniques.
- Validate token handling – ensure secrets such as bot tokens are never exposed in runtime artifacts.
Source: SentinelOne Labs – macOS.Gaslight analysis
Technical Notes
- Attack vector: malicious Rust binary executed on macOS, leveraging a hidden Telegram Bot API C2 channel.
- C2 details: polling
getUpdatesloop; uses Telegram error codes (BotBlocked, InvalidToken, Conflict) for single‑instance lock. - Encryption: AES‑GCM payloads over TLS with certificate pinning.
- Payload: 3.5 KB of fabricated system‑failure messages aimed at LLM‑assisted triage agents.
- Attribution: high confidence link to a DPRK‑aligned macOS activity cluster (BONZAI family).