SentinelLABS analyzed macOS.Gaslight, a Rust-based macOS implant and infostealer assessed with high confidence as part of DPRK-aligned macOS activity. The malware uses Telegram Bot API polling for C2, AES-GCM encryption over certificate-pinned TLS, and runtime bot-token self-redaction to protect operator credentials from logs or crash artifacts. It provides an interactive shell, LaunchAgent persistence, file upload/exfiltration, and a configurable Python stealer that collects browser data, shell histories, process and system profiles, and `login.keychain-db`. Its distinctive feature is a 38-message prompt-injection cascade embedded in the binary to confuse LLM-assisted malware triage workflows into aborting or refusing analysis.