A recently discovered macOS backdoor, developed using the Rust programming language, has been identified as a significant threat due to its sophisticated data exfiltration methods. This malware employs an interactive shell and utilizes Telegram’s file-upload feature to stealthily extract sensitive information from compromised systems.
The backdoor, referred to as macOS.Gaslight, was first detected in early June 2026. Its presence came to light when an Apple XProtect update flagged a suspicious file uploaded to VirusTotal on May 22. Despite this detection, the sample evaded most static scanning engines at the time, highlighting its advanced obfuscation techniques.
macOS.Gaslight is a persistent Rust binary equipped with a comprehensive suite of data theft capabilities. It targets browser credentials from Chrome, Brave, Firefox, and Safari, captures terminal histories, enumerates installed applications, and copies the macOS login keychain file. The collected data is then archived into a zip file and exfiltrated via Telegram’s file-upload feature, allowing the malware to blend its communication with legitimate traffic.
Security researchers have attributed this malware to North Korean threat actors with high confidence. Apple’s XProtect rule associates this sample with a malware family linked to DPRK operations, and a related sample is also detected by Apple’s AIRPIPE rule, which has been connected to North Korean campaigns.
Notably, macOS.Gaslight incorporates a payload of 38 fabricated system messages designed to manipulate AI-based malware analysis tools. This technique, known as prompt injection, targets the analyst’s tools rather than the sandbox environment, potentially causing AI triage pipelines to abort or skip analysis.
Once the malware validates its Telegram bot token, it grants the attacker a live interactive shell on the infected machine. This shell supports commands such as executing shell code, terminating processes by ID, uploading files, and stopping the implant entirely. Communication is conducted through the Telegram Bot API polling loop, which also serves as a built-in single-instance lock.
To secure its communication channels, the implant encrypts all traffic using AES-GCM and implements certificate pinning, making interception through standard network monitoring challenging. It also reads the host’s proxy settings and routes traffic accordingly, enabling operation on networks that enforce outbound connections through a proxy. This design enhances the malware’s resilience in tightly managed enterprise environments.
Additionally, the backdoor deploys a Python data collection module on demand, fetching a standalone Python 3.10.18 interpreter from an open-source project at runtime. This approach allows the malware to execute Python scripts without relying on the system’s Python installation, further evading detection.
The emergence of macOS.Gaslight underscores the evolving sophistication of malware targeting macOS systems. The use of Rust, known for its performance and safety features, combined with advanced evasion techniques like prompt injection and encrypted communication, signifies a notable advancement in threat actor capabilities. This development highlights the need for continuous vigilance and adaptation in cybersecurity practices to counter increasingly complex threats.
