All Posts
Anomali Cyber Watch
1
min read

Anomali Cyber Watch: Sample

Published on
December 24, 2025
Table of Contents
<style> h2[id] { padding-top: 100px; margin-top: -100px; } </style> <div style="padding:20px 24px 20px 24px;border:1px solid #4a5773;border-left:3px solid #0059b3;margin-bottom:30px;"> <h2 style="margin-bottom:12px; font-size:x-large;">At a Glance</h2> <div style="margin:12px 0;"> <div style="display:inline-block;vertical-align:top;border:1px solid #132531;width:100%;min-width:280px;margin:0 0.5% 12px 0;"> <div style="padding:10px 14px;background:#132531;color:#ffffff;"> <div style="font-size:11px;letter-spacing:0.08em;text-transform:uppercase;opacity:0.65;">Attack Patterns</div> <div style="font-size:28px;font-weight:500;line-height:1.1;margin-top:3px;">85</div> </div> <div style="padding:12px 14px;background:#FFFFFF;border-top:0.5px solid rgba(17,17,16,0.15);"> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> System Information Discovery</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#0059B3;height:8px;width:100%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#0059B3;text-align:right;padding-left:5px;vertical-align:middle;"> 4</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Process Discovery</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#0059B3CC;height:8px;width:75%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#0059B3;text-align:right;padding-left:5px;vertical-align:middle;"> 3</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Ingress Tool Transfer</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#0059B3CC;height:8px;width:75%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#0059B3;text-align:right;padding-left:5px;vertical-align:middle;"> 3</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#0059B399;height:8px;width:75%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#0059B3CC;text-align:right;padding-left:5px;vertical-align:middle;"> 3</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Web Service: Bidirectional Communication</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#0059B399;height:8px;width:50%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#0059B3CC;text-align:right;padding-left:5px;vertical-align:middle;"> 2</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Exfiltration Over C2 Channel</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#0059B399;height:8px;width:50%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#0059B3CC;text-align:right;padding-left:5px;vertical-align:middle;"> 2</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> User Execution: Malicious File</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#0059B399;height:8px;width:50%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#0059B3CC;text-align:right;padding-left:5px;vertical-align:middle;"> 2</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Command and Scripting Interpreter: Powershell</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#0059B399;height:8px;width:50%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#0059B3CC;text-align:right;padding-left:5px;vertical-align:middle;"> 2</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Command and Scripting Interpreter: Windows Command Shell</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#0059B399;height:8px;width:50%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#0059B3CC;text-align:right;padding-left:5px;vertical-align:middle;"> 2</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Scheduled Task/Job: Scheduled Task</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#0059B399;height:8px;width:50%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#0059B3CC;text-align:right;padding-left:5px;vertical-align:middle;"> 2</td> </tr> </table> </div> </div> <div style="display:inline-block;vertical-align:top;border:1px solid #132531;width:100%;min-width:280px;margin:0 0.5% 12px 0;"> <div style="padding:10px 14px;background:#132531;color:#ffffff;"> <div style="font-size:11px;letter-spacing:0.08em;text-transform:uppercase;opacity:0.65;">Regions & Countries </div> <div style="font-size:28px;font-weight:500;line-height:1.1;margin-top:3px;">5</div> </div> <div style="padding:12px 14px;background:#FFFFFF;border-top:0.5px solid rgba(17,17,16,0.15);"> <svg width="200" height="200" style="display:block;margin:0 auto 12px;"> <path d="M 100.0,100.0 L 100.00010614359174,20.000000000070415 A 80,80 0 0,1 147.02287170656467,164.7213221161926 Z" fill="#1E6FC8" stroke="#fff" stroke-width="2" /> <path d="M 100.0,100.0 L 147.02287170656467,164.7213221161926 A 80,80 0 0,1 52.97730003744067,164.72144689537714 Z" fill="#3B8FD4" stroke="#fff" stroke-width="2" /> <path d="M 100.0,100.0 L 52.97730003744067,164.72144689537714 A 80,80 0 0,1 23.915406536329726,75.2788625369296 Z" fill="#A3CBE8" stroke="#fff" stroke-width="2" /> <path d="M 100.0,100.0 L 23.915406536329726,75.2788625369296 A 80,80 0 0,1 99.99968156922476,20.000000000633747 Z" fill="#0059B3" stroke="#fff" stroke-width="2" /> </svg> <div style="margin-bottom:6px;font-size:12px;"> <span style="display:inline-block;width:12px;height:12px;background:#1E6FC8;margin-right:6px;border-radius:2px;"></span> <span style="color:#71706C;">Source-Region: Asia</span> <span style="float:right;font-weight:700;color:#1E6FC8;">40.0%</span> </div> <div style="margin-bottom:6px;font-size:12px;"> <span style="display:inline-block;width:12px;height:12px;background:#3B8FD4;margin-right:6px;border-radius:2px;"></span> <span style="color:#71706C;">Asia</span> <span style="float:right;font-weight:700;color:#3B8FD4;">20.0%</span> </div> <div style="margin-bottom:6px;font-size:12px;"> <span style="display:inline-block;width:12px;height:12px;background:#A3CBE8;margin-right:6px;border-radius:2px;"></span> <span style="color:#71706C;">Europe</span> <span style="float:right;font-weight:700;color:#A3CBE8;">20.0%</span> </div> <div style="margin-bottom:6px;font-size:12px;"> <span style="display:inline-block;width:12px;height:12px;background:#0059B3;margin-right:6px;border-radius:2px;"></span> <span style="color:#71706C;">Source-Region: Europe</span> <span style="float:right;font-weight:700;color:#0059B3;">20.0%</span> </div> </div> </div> <div style="display:inline-block;vertical-align:top;border:1px solid #132531;width:100%;min-width:280px;margin:0 0.5% 12px 0;"> <div style="padding:10px 14px;background:#132531;color:#ffffff;"> <div style="font-size:11px;letter-spacing:0.08em;text-transform:uppercase;opacity:0.65;">Industries</div> <div style="font-size:28px;font-weight:500;line-height:1.1;margin-top:3px;">5</div> </div> <div style="padding:12px 14px;background:#FFFFFF;border-top:0.5px solid rgba(17,17,16,0.15);"> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Government / Government National</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#3B8FD4;height:8px;width:100%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#3B8FD4;text-align:right;padding-left:5px;vertical-align:middle;"> 1</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Technology</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#3B8FD4CC;height:8px;width:100%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#3B8FD4;text-align:right;padding-left:5px;vertical-align:middle;"> 1</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Government</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#3B8FD4CC;height:8px;width:100%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#3B8FD4;text-align:right;padding-left:5px;vertical-align:middle;"> 1</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Defense</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#3B8FD499;height:8px;width:100%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#3B8FD4CC;text-align:right;padding-left:5px;vertical-align:middle;"> 1</td> </tr> </table> <table cellpadding="0" cellspacing="0" style="width:100%;margin-bottom:5px;"> <tr> <td style="width:55%;font-size:12px;color:#71706C;font-weight:500;padding-right:8px;vertical-align:middle;"> Automotive</td> <td style="vertical-align:middle;"> <div style="background:#F5F5F4;height:8px;width:100%;border-radius:2px;"> <div style="background:#3B8FD499;height:8px;width:100%;min-width:2px;border-radius:2px;"></div> </div> </td> <td style="width:28px;font-size:13px;font-weight:700;color:#3B8FD4CC;text-align:right;padding-left:5px;vertical-align:middle;"> 1</td> </tr> </table> </div> </div> </div> <div style="font-size:11px;color:#6B7280;margin-top:8px;font-style:italic;">* Frequency counts reflect mentions across collected reports</div> </div> <details style="border:1px solid #4a5773;border-left:3px solid #0059b3;margin-bottom:30px;"> <summary style="list-style:none;cursor:pointer;padding:30px 16px 12px 16px;display:block;"> <div style="font-size:11px;opacity:0.6;margin-bottom:5px;letter-spacing:0.04em;"> Story #1 &nbsp;|&nbsp; June 23, 2026 </div> <div style="display:flex;justify-content:space-between;align-items:center;"> <div style="flex:1;"> <div style="font-size:15px;font-weight:600;line-height:1.4;"> <h2 style="font-size: x-large;">macOS.Gaslight: DPRK-Linked Rust Implant Embeds Prompt Injection to Disrupt AI-Assisted Triage</h2> </div> </div> <span style="font-size:11px;opacity:0.5;margin-left:15px;">&#9654; expand</span> </div> </summary> <div style="padding:0;"> <div style="padding:16px 24px;background:#ffffff;border-top:1px solid rgba(17,17,16,0.15);"> <div style="font-size:14px;font-weight:600;line-height:1.75;color:#374151;">Researchers analyzed macOS.Gaslight, a Rust-based macOS backdoor and infostealer assessed with high confidence to be linked to North Korea-aligned threat activity. The sample, first uploaded to VirusTotal on May 22, 2026 and subsequently detected by an Apple XProtect update, is ad hoc signed. For command and control (C2), the implant polls the Telegram Bot API rather than a dedicated attacker-controlled server, routing operator communications through a legitimate platform to reduce the likelihood of network-level detection. Traffic is further protected by AES-GCM payload encryption and certificate pinning, which blocks standard proxy interception. The operator configuration, including the bot token and encryption key, is supplied at runtime rather than stored in the binary, and the implant actively redacts its bot token from runtime output to prevent recovery from logs or crash artifacts. Once active, the operator gains an interactive shell supporting process control, arbitrary command execution, and file exfiltration via Telegram, with evidence of a possible seventh command whose function could not be determined. Persistence is established through a LaunchAgent masquerading under Apple's namespace, and a power-management assertion prevents the host from sleeping during C2 polling. A gated Python stealer, deployed with its own runtime interpreter fetched at execution, harvests browser credentials, Terminal histories, application listings, a process snapshot, a system profile, and the macOS Keychain database. Most notably, the implant embeds 38 fabricated system-failure messages designed to mimic an LLM triage harness, with the aim of causing AI-assisted analysis pipelines to abort or refuse examination of the sample entirely.</div> </div> <div style="padding:10px 14px;background:#f5f5f4;border-top:0.5px solid rgba(17,17,16,0.15);"> <div style="font-size:11px;color:#6B7280;letter-spacing:0.06em;text-transform:uppercase;margin-bottom:6px;">Source </div> <div style="margin-top:8px;"><a href="https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html" target="_blank" rel="noopener noreferrer" style="color:#1e6fc8;font-size:13px;font-weight:700;text-decoration:none;">&#128279; Read full article &rarr;</a></div> </div> <div style="padding:14px 24px;background:#e0edf8;border-top:1px solid rgba(17,17,16,0.15);border-left:3px solid #1e6fc8;"> <div style="font-size:10px;color:#0059b3;letter-spacing:0.08em;text-transform:uppercase;margin-bottom:6px;font-weight:600;"> Analyst Comment</div> <div style="font-size:14px;font-weight:600;line-height:1.7;color:#374151;">macOS.Gaslight presents an immediate credential theft risk to any organisation running macOS endpoints. The stealer component targets browser credentials, Terminal histories, and the macOS Keychain database, with all collected data exfiltrated via Telegram. The Keychain database is particularly significant, as it stores saved passwords, certificates, and application tokens, meaning a successful compromise can expose credentials well beyond what the infected machine alone holds. Defenders should be aware of two distinct detection limitations at time of reporting: XProtect's current rule is hash-based and would not catch variants with modified hashes, and static engine coverage on VirusTotal was poor, suggesting limited third-party antivirus coverage independent of XProtect. Organisations should audit whether Telegram and other consumer messaging platforms are accessible from managed endpoints, since the implant routes all C2 and exfiltration through the Telegram Bot API, a channel that certificate pinning makes difficult to inspect in transit. Security teams should also consider whether outbound access to api.telegram.org is necessary from managed macOS devices and restrict it where it is not. Finally, security teams building or evaluating LLM-assisted analysis tooling should note that this sample deliberately attempts to manipulate AI triage pipelines through embedded fabricated system messages, a technique that is likely to mature as AI-assisted analysis becomes more common in security operations.</div> </div> <div style="padding:10px 24px;background:#f5f5f4;border-top:1px solid rgba(17,17,16,0.15);"> <details style="border:1px solid #4a5773;margin-bottom:8px;"> <summary style="padding:10px 14px;cursor:pointer;list-style:none;user-select:none;background:#e0edf8;color:#0059b3;font-size:11px;font-weight:600;letter-spacing:0.06em;text-transform:uppercase;"> MITRE ATT&CK Techniques <span style="float:right;opacity:0.5;">&#9660;</span> </summary> <div style="padding:12px 14px;background:#ffffff;border-top:1px solid rgba(17,17,16,0.15);display:flex;flex-wrap:wrap;gap:6px;"> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9695">T1543.001 - Create or Modify System Process: Launch Agent</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/10101">T1036.004 - Masquerading: Masquerade Task Or Service</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/18584">T1027.007 - Obfuscated Files or Information: Dynamic Api Resolution</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/18593">T1027.009 - Obfuscated Files or Information: Embedded Payloads</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9600">T1555.001 - Credentials from Password Stores: Keychain</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/10025">T1555.003 - Credentials from Password Stores: Credentials From Web Browsers</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9594">T1552.003 - Unsecured Credentials: Bash History</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9710">T1057 - Process Discovery</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9985">T1518 - Software Discovery</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9723">T1102.002 - Web Service: Bidirectional Communication</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9717">T1573.001 - Encrypted Channel: Symmetric Cryptography</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a></span> </div> </details> <details style="border:1px solid #4a5773;margin-bottom:8px;"> <summary style="padding:10px 14px;cursor:pointer;list-style:none;user-select:none;background:#e0edf8;color:#0059b3;font-size:11px;font-weight:600;letter-spacing:0.06em;text-transform:uppercase;"> Source Country <span style="float:right;opacity:0.5;">&#9660;</span> </summary> <div style="padding:12px 14px;background:#ffffff;border-top:1px solid rgba(17,17,16,0.15);display:flex;flex-wrap:wrap;gap:6px;"> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;">Korea, democratic people's republic of</span> </div> </details> <details style="border:1px solid #4a5773;margin-bottom:8px;"> <summary style="padding:10px 14px;cursor:pointer;list-style:none;user-select:none;background:#e0edf8;color:#0059b3;font-size:11px;font-weight:600;letter-spacing:0.06em;text-transform:uppercase;"> Source Region <span style="float:right;opacity:0.5;">&#9660;</span> </summary> <div style="padding:12px 14px;background:#ffffff;border-top:1px solid rgba(17,17,16,0.15);display:flex;flex-wrap:wrap;gap:6px;"> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;">Asia</span> </div> </details> </div> </div> </details> <details style="border:1px solid #4a5773;border-left:3px solid #0059b3;margin-bottom:30px;"> <summary style="list-style:none;cursor:pointer;padding:30px 16px 12px 16px;display:block;"> <div style="font-size:11px;opacity:0.6;margin-bottom:5px;letter-spacing:0.04em;"> Story #1 &nbsp;|&nbsp; June 23, 2026 </div> <div style="display:flex;justify-content:space-between;align-items:center;"> <div style="flex:1;"> <div style="font-size:15px;font-weight:600;line-height:1.4;"> <h2 style="font-size: x-large;">2 macOS.Gaslight: DPRK-Linked Rust Implant Embeds Prompt Injection to Disrupt AI-Assisted Triage</h2> </div> </div> <span style="font-size:11px;opacity:0.5;margin-left:15px;">&#9654; expand</span> </div> </summary> <div style="padding:0;"> <div style="padding:16px 24px;background:#ffffff;border-top:1px solid rgba(17,17,16,0.15);"> <div style="font-size:14px;font-weight:600;line-height:1.75;color:#374151;">Researchers analyzed macOS.Gaslight, a Rust-based macOS backdoor and infostealer assessed with high confidence to be linked to North Korea-aligned threat activity. The sample, first uploaded to VirusTotal on May 22, 2026 and subsequently detected by an Apple XProtect update, is ad hoc signed. For command and control (C2), the implant polls the Telegram Bot API rather than a dedicated attacker-controlled server, routing operator communications through a legitimate platform to reduce the likelihood of network-level detection. Traffic is further protected by AES-GCM payload encryption and certificate pinning, which blocks standard proxy interception. The operator configuration, including the bot token and encryption key, is supplied at runtime rather than stored in the binary, and the implant actively redacts its bot token from runtime output to prevent recovery from logs or crash artifacts. Once active, the operator gains an interactive shell supporting process control, arbitrary command execution, and file exfiltration via Telegram, with evidence of a possible seventh command whose function could not be determined. Persistence is established through a LaunchAgent masquerading under Apple's namespace, and a power-management assertion prevents the host from sleeping during C2 polling. A gated Python stealer, deployed with its own runtime interpreter fetched at execution, harvests browser credentials, Terminal histories, application listings, a process snapshot, a system profile, and the macOS Keychain database. Most notably, the implant embeds 38 fabricated system-failure messages designed to mimic an LLM triage harness, with the aim of causing AI-assisted analysis pipelines to abort or refuse examination of the sample entirely.</div> </div> <div style="padding:10px 14px;background:#f5f5f4;border-top:0.5px solid rgba(17,17,16,0.15);"> <div style="font-size:11px;color:#6B7280;letter-spacing:0.06em;text-transform:uppercase;margin-bottom:6px;">Source </div> <div style="margin-top:8px;"><a href="https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html" target="_blank" rel="noopener noreferrer" style="color:#1e6fc8;font-size:13px;font-weight:700;text-decoration:none;">&#128279; Read full article &rarr;</a></div> </div> <div style="padding:14px 24px;background:#e0edf8;border-top:1px solid rgba(17,17,16,0.15);border-left:3px solid #1e6fc8;"> <div style="font-size:10px;color:#0059b3;letter-spacing:0.08em;text-transform:uppercase;margin-bottom:6px;font-weight:600;"> Analyst Comment</div> <div style="font-size:14px;font-weight:600;line-height:1.7;color:#374151;">macOS.Gaslight presents an immediate credential theft risk to any organisation running macOS endpoints. The stealer component targets browser credentials, Terminal histories, and the macOS Keychain database, with all collected data exfiltrated via Telegram. The Keychain database is particularly significant, as it stores saved passwords, certificates, and application tokens, meaning a successful compromise can expose credentials well beyond what the infected machine alone holds. Defenders should be aware of two distinct detection limitations at time of reporting: XProtect's current rule is hash-based and would not catch variants with modified hashes, and static engine coverage on VirusTotal was poor, suggesting limited third-party antivirus coverage independent of XProtect. Organisations should audit whether Telegram and other consumer messaging platforms are accessible from managed endpoints, since the implant routes all C2 and exfiltration through the Telegram Bot API, a channel that certificate pinning makes difficult to inspect in transit. Security teams should also consider whether outbound access to api.telegram.org is necessary from managed macOS devices and restrict it where it is not. Finally, security teams building or evaluating LLM-assisted analysis tooling should note that this sample deliberately attempts to manipulate AI triage pipelines through embedded fabricated system messages, a technique that is likely to mature as AI-assisted analysis becomes more common in security operations.</div> </div> <div style="padding:10px 24px;background:#f5f5f4;border-top:1px solid rgba(17,17,16,0.15);"> <details style="border:1px solid #4a5773;margin-bottom:8px;"> <summary style="padding:10px 14px;cursor:pointer;list-style:none;user-select:none;background:#e0edf8;color:#0059b3;font-size:11px;font-weight:600;letter-spacing:0.06em;text-transform:uppercase;"> MITRE ATT&CK Techniques <span style="float:right;opacity:0.5;">&#9660;</span> </summary> <div style="padding:12px 14px;background:#ffffff;border-top:1px solid rgba(17,17,16,0.15);display:flex;flex-wrap:wrap;gap:6px;"> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9695">T1543.001 - Create or Modify System Process: Launch Agent</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/10101">T1036.004 - Masquerading: Masquerade Task Or Service</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/18584">T1027.007 - Obfuscated Files or Information: Dynamic Api Resolution</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/18593">T1027.009 - Obfuscated Files or Information: Embedded Payloads</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9600">T1555.001 - Credentials from Password Stores: Keychain</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/10025">T1555.003 - Credentials from Password Stores: Credentials From Web Browsers</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9594">T1552.003 - Unsecured Credentials: Bash History</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9710">T1057 - Process Discovery</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9985">T1518 - Software Discovery</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9723">T1102.002 - Web Service: Bidirectional Communication</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9717">T1573.001 - Encrypted Channel: Symmetric Cryptography</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a></span> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;"><a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a></span> </div> </details> <details style="border:1px solid #4a5773;margin-bottom:8px;"> <summary style="padding:10px 14px;cursor:pointer;list-style:none;user-select:none;background:#e0edf8;color:#0059b3;font-size:11px;font-weight:600;letter-spacing:0.06em;text-transform:uppercase;"> Source Country <span style="float:right;opacity:0.5;">&#9660;</span> </summary> <div style="padding:12px 14px;background:#ffffff;border-top:1px solid rgba(17,17,16,0.15);display:flex;flex-wrap:wrap;gap:6px;"> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;">Korea, democratic people's republic of</span> </div> </details> <details style="border:1px solid #4a5773;margin-bottom:8px;"> <summary style="padding:10px 14px;cursor:pointer;list-style:none;user-select:none;background:#e0edf8;color:#0059b3;font-size:11px;font-weight:600;letter-spacing:0.06em;text-transform:uppercase;"> Source Region <span style="float:right;opacity:0.5;">&#9660;</span> </summary> <div style="padding:12px 14px;background:#ffffff;border-top:1px solid rgba(17,17,16,0.15);display:flex;flex-wrap:wrap;gap:6px;"> <span style="display:inline-block;border:1px solid #0059b3;background:#0059b3;color:#ffffff;font-size:13px;font-weight:700;padding:4px 10px;">Asia</span> </div> </details> </div> </div> </details>

FEATURED RESOURCES

December 24, 2025
Anomali Cyber Watch

Anomali Cyber Watch: Sample

LockBit 5.0 Ransomware Targets Windows, Linux, and VMware ESXi in Active Campaigns. Google Patches Actively Exploited Chrome Zero-Day CVE-2026-2441. Infostealer Targets OpenClaw Configuration Files to Capture Credentials and User Context. And more...
Read More
July 14, 2026
Anomali Cyber Watch

The Silence Before the Storm: Iranian Cyber Retaliation Is Imminent — What CISOs Must Do Now

Read More
July 14, 2026
Anomali Cyber Watch
Public Sector

Russian State Hackers Formally Attributed to Power Grid Attack as Legacy Cisco Vulnerabilities Face Active Exploitation: What State Government IT Leaders Must Do This Week

Read More
Explore All