Security researchers have identified a dangerous new variant of ZuRu malware that’s now targeting macOS users through a fake Termius app, especially developers and IT professionals. This version hides inside a Trojanized version of Termius, a widely used SSH and server management tool.
What is ZuRu Malware?
ZuRu is a malicious program discovered in 2021 to run on macOS environments and has infection methods that involve masquerading as useful programs. Its previous actions took over search results of popular trusted apps, iTerm2, triggering users to land on the phony websites that offered malware-laden downloads.
In 2024, a similar strain was observed in pirated macOS apps, including:
- Microsoft Remote Desktop for Mac
- SecureCRT
- Navicat
These attacks aim to compromise systems of users who rely on these tools for remote access and database management.
How the Fake Termius App is Used to Distribute ZuRu Malware
The new ZuRu sample is disguised as a fake Termius app, packed in a .dmg disk image. After installation, it silently installs a backdoor with a slightly changed variant of the Khepri post-exploitation toolkit.
Inside the disk image:
- .localized: A hidden loader that downloads a C2 beacon from download.termius[.]info
- Termius Helper1: A renamed legitimate helper file used to execute malicious behavior
Critically, the attackers replaced the official Apple code signature with an ad hoc signature, allowing the malware to pass macOS’s security checks.
Technical Behavior and Capabilities
Remote Control Access
The embedded Khepri toolkit allows attackers to execute commands, upload/download files, and explore the system remotely.
Persistence Setup
It checks if the malware exists at /tmp/. fseventsd compares the MD5 hash with the server version, and auto-updates if a newer payload exists.
Beacon Communication
It uses ctl01.termius[.]fun as a command-and-control (C2) domain to stay connected with the attacker.
This shift in behavior — from .dylib injection in older versions to embedded helper app manipulation — signals a more stealthy, adaptive approach.
Who’s Being Targeted?
This malware specifically targets macOS developers, sysadmins, and IT professionals — those who are more likely to download remote access tools like Termius or SecureCRT.
By infecting such apps, the attacker can:
- Gain access to sensitive SSH sessions
- Steal database credentials
- Infiltrate enterprise networks
Attribution: Who’s Behind It?
While this malware impacts users worldwide, its techniques and infrastructure strongly suggest links to Chinese threat actors. The use of sponsored search ads for distribution shows this is an opportunistic campaign, not highly targeted.
Protection Tips for macOS Users
Here’s how to stay safe from ZuRu and similar threats:
- Avoid downloading apps from sponsored ads or unofficial sources
- Always verify apps using Terminal:
- Codesign -dv– verbose 4 /Applications/AppName.app
- Apply credible endpoint protection systems (e.g., SentinelOne, Jamf)
- Use your macOS and apps up-to-date.
- Monitor connections to suspicious domains like termius[.]info
Final Thoughts
This ZuRu variant is a reminder that macOS is no longer a safe zone. Threat actors are evolving — and they are going after high-trust tools to compromise high-value targets.
If you’re a developer or sysadmin, treat every download with skepticism. Always verify sources and invest in proper security, because even a familiar-looking app — like a fake Termius app — might just be the enemy.
Disclaimer
This news was originally taken from The Hacker News and rewritten to improve clarity and SEO. Full credit goes to The Hacker News and SentinelOne researchers..
Ahsan Ali is a technology blogger and the founder of Techzivo.com, a platform dedicated to delivering insightful and practical content for tech enthusiasts.He currently focuses on creating in-depth articles around cybersecurity, aiming to help readers stay safe and informed in the digital world. With a passion for emerging technologies, Ahsan plans to expand Techzivo’s coverage into other technology micro-niches such as AI, cloud computing, and digital privacy, offering valuable insights for a broader tech-savvy audience.