Gaslight
Intelligence Profile
According to SentinelLabs, Gaslight is a DPRK-aligned macOS backdoor and infostealer written in Rust that communicates over the Telegram Bot API, using AES-GCM encryption layered on certificate-pinned TLS. The implant provides an interactive remote shell with generic capabilities for command execution, file exfiltration, process management, and configuration-driven persistence, and it can stage a Python-based stealer via a bundled installer that fetches a standalone CPython runtime at execution time. It collects browser data, system and process information, and keychain contents, packaging and uploading them through the same hardened command-and-control channel. A distinctive characteristic is its embedded multi-message prompt-injection payload designed to manipulate LLM-assisted analysis pipelines, along with runtime self-redaction of its bot token to prevent credential leakage in logs or crash artifacts.
Threat Analysis
Gaslight is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.