# [HIGH] New macOS malware embeds fake errors to confuse AI analysis tools

**Source:** BleepingComputer
**Published:** 2026-06-25
**Article:** https://www.bleepingcomputer.com/news/security/new-macos-malware-embeds-fake-errors-to-confuse-ai-analysis-tools/

## Threat Profile

New macOS malware embeds fake errors to confuse AI analysis tools 
By Lawrence Abrams 
June 25, 2026
12:23 PM
0 
A newly discovered macOS malware dubbed "Gaslight" is designed to confuse AI-assisted malware analysis tools by hiding prompt injection strings and fake debugging data within the executable.
Cybersecurity researchers are increasingly using AI-powered tools to assist with malware analysis and reverse engineering.
The malware contains strings that attempt to gaslight AI-assisted analysi…

## Indicators of Compromise (high-fidelity only)

- **SHA256:** `6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525`
- **SHA256:** `77b4fd46994992f0e57302cfe76ed23c0d90101381d2b89fc2ddf5c4536e77ca`
- **SHA256:** `baabf249c77bc54c54ab0e66e15af798bd28aa5b4683554456a8b73ab8741239`
- **SHA256:** `b3c56d689414343589f38394d19ba2fe9a518133281200faa0556ba4e4136394`

## MITRE ATT&CK Techniques

- **T1027** — Obfuscated Files or Information
- **T1204.002** — User Execution: Malicious File
- **T1059.006** — Command and Scripting Interpreter: Python
- **T1543.001** — Create or Modify System Process: Launch Agent
- **T1036.005** — Masquerading: Match Legitimate Name or Location
- **T1071.001** — Application Layer Protocol: Web Protocols
- **T1102.002** — Web Service: Bidirectional Communication
- **T1555.001** — Credentials from Password Stores: Keychain
- **T1555.003** — Credentials from Password Stores: Credentials from Web Browsers
- **T1560** — Archive Collected Data

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### macOS.Gaslight DPRK Rust backdoor — known-bad SHA256 execution/landing

`UC_6_1` · phase: **install** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_hash="6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525" OR Processes.process_hash="77b4fd46994992f0e57302cfe76ed23c0d90101381d2b89fc2ddf5c4536e77ca" OR Processes.process_hash="baabf249c77bc54c54ab0e66e15af798bd28aa5b4683554456a8b73ab8741239" OR Processes.process_hash="b3c56d689414343589f38394d19ba2fe9a518133281200faa0556ba4e4136394") by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.process_hash | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime)
```

**Defender KQL:**
```kql
let GaslightHashes = dynamic(["6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525","77b4fd46994992f0e57302cfe76ed23c0d90101381d2b89fc2ddf5c4536e77ca","baabf249c77bc54c54ab0e66e15af798bd28aa5b4683554456a8b73ab8741239","b3c56d689414343589f38394d19ba2fe9a518133281200faa0556ba4e4136394"]);
union
( DeviceProcessEvents | where Timestamp > ago(30d) | where SHA256 in (GaslightHashes) or InitiatingProcessSHA256 in (GaslightHashes) | project Timestamp, DeviceName, Source="ProcessExec", AccountName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256 ),
( DeviceFileEvents | where Timestamp > ago(30d) | where SHA256 in (GaslightHashes) | project Timestamp, DeviceName, Source="FileLanded", AccountName=InitiatingProcessAccountName, FileName, FolderPath, SHA256, ProcessCommandLine=InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256 )
| order by Timestamp desc
```

### macOS.Gaslight LaunchAgent persistence masquerading as com.apple.system.services.activity

`UC_6_2` · phase: **install** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*/Library/LaunchAgents/*" Filesystem.file_name="com.apple.system.services.activity.plist" by Filesystem.dest Filesystem.user Filesystem.file_path Filesystem.file_name Filesystem.process_name | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime)
```

**Defender KQL:**
```kql
DeviceFileEvents
| where Timestamp > ago(30d)
| where FolderPath has "/Library/LaunchAgents/"
| where FileName =~ "com.apple.system.services.activity.plist"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, ActionType, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessSHA256, SHA256
| order by Timestamp desc
```

### macOS.Gaslight Telegram Bot API C2 from non-browser native process

`UC_6_3` · phase: **c2** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution.DNS where DNS.query="api.telegram.org" by DNS.src DNS.dest DNS.query | `drop_dm_object_name(DNS)` | convert ctime(firstTime) ctime(lastTime) | sort - lastTime
```

**Defender KQL:**
```kql
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has "api.telegram.org"
| where InitiatingProcessAccountName !endswith "$"
| where InitiatingProcessFileName !in~ ("Telegram","Google Chrome","Google Chrome Helper","firefox","Safari","com.apple.WebKit.Networking","Brave Browser","Microsoft Edge","com.apple.Safari.SafeBrowsing.Service")
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Beacons=count(), Ports=make_set(RemotePort) by DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessSHA256, RemoteUrl
| order by FirstSeen desc
```

### macOS.Gaslight Python stealer — keychain copy and collected_data.zip staging

`UC_6_4` · phase: **actions** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name="collected_data.zip" OR Filesystem.file_name="login.keychain-db") Filesystem.process_name="python*" by Filesystem.dest Filesystem.user Filesystem.file_path Filesystem.file_name Filesystem.process_name | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime)
```

**Defender KQL:**
```kql
DeviceFileEvents
| where Timestamp > ago(30d)
| where FileName in~ ("collected_data.zip","login.keychain-db")
| where ActionType in ("FileCreated","FileModified","FileRenamed")
| where tolower(InitiatingProcessFileName) startswith "python"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessSHA256
| order by Timestamp desc
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **File hash IOCs — endpoint file/process match** ([template](../_TEMPLATES.md#hash-ioc)) — phase: **install**, confidence: **High**
  - file hash IOC(s): `6328567511d88fdc2ae0939c5ef17b7a63d2a833881900de018a4f12f4982525`, `77b4fd46994992f0e57302cfe76ed23c0d90101381d2b89fc2ddf5c4536e77ca`, `baabf249c77bc54c54ab0e66e15af798bd28aa5b4683554456a8b73ab8741239`, `b3c56d689414343589f38394d19ba2fe9a518133281200faa0556ba4e4136394`


## Why this matters

Severity classified as **HIGH** based on: IOCs present, 5 use case(s) fired, 10 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.