By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
World of SoftwareWorld of SoftwareWorld of Software
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Search
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
Reading: New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App
Share
Sign In
Notification Show More
Font ResizerAa
World of SoftwareWorld of Software
Font ResizerAa
  • Software
  • Mobile
  • Computing
  • Gadget
  • Gaming
  • Videos
Search
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Have an existing account? Sign In
Follow US
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
World of Software > Computing > New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App
Computing

New ZuRu Malware Variant Targeting Developers via Trojanized Termius macOS App

News Room
Last updated: 2025/07/10 at 8:14 AM
News Room Published 10 July 2025
Share
SHARE

Jul 10, 2025Ravie LakshmananEndpoint Security / Vulnerability

Cybersecurity researchers have discovered new artifacts associated with an Apple macOS malware called ZuRu, which is known to propagate via trojanized versions of legitimate software.

SentinelOne, in a new report shared with The Hacker News, said the malware has been observed masquerading as the cross‑platform SSH client and server‑management tool Termius in late May 2025.

“ZuRu malware continues to prey on macOS users seeking legitimate business tools, adapting its loader and C2 techniques to backdoor its targets,” researchers Phil Stokes and Dinesh Devadoss said.

ZuRu was first documented in September 2021 by a user on Chinese question-and-answer website Zhihu as part of a malicious campaign that hijacked searches for iTerm2, a legitimate macOS Terminal app, to direct users to fake sites that tricked unsuspecting users into downloading the malware.

Cybersecurity

Then in January 2024, Jamf Threat Labs said it discovered a piece of malware distributed via pirated macOS apps that shared similarities with ZuRu. Some of the other popular software that has been trojanized to deliver the malware include Microsoft’s Remote Desktop for Mac, along with SecureCRT and Navicat.

The fact that ZuRu primarily relies on sponsored web searches for distribution indicates the threat actors behind the malware are more opportunistic than targeted in their attacks, while also ensuring that only those looking for remote connections and database management are compromised.

Like the samples detailed by Jamf, the newly discovered ZuRu artifacts employ a modified version of the open-source post-exploitation toolkit known as Khepri to enable attackers to gain remote control of infected hosts.

“The malware is delivered via a .dmg disk image and contains a hacked version of the genuine Termius.app,” the researchers said. “Since the application bundle inside the disk image has been modified, the attackers have replaced the developer’s code signature with their own ad hoc signature in order to pass macOS code signing rules.”

The altered app packs in two extra executables within Termius Helper.app, a loader named “.localized” that’s designed to download and launch a Khepri command-and-control (C2) beacon from an external server (“download.termius[.]info”) and “.Termius Helper1,” which is a renamed version of the actual Termius Helper app.

“While the use of Khepri was seen in earlier versions of ZuRu, this means of trojanizing a legitimate application varies from the threat actor’s previous technique,” the researchers explained.

“In older versions of ZuRu, the malware authors modified the main bundle’s executable by adding an additional load command referencing an external .dylib, with the dynamic library functioning as the loader for the Khepri backdoor and persistence modules.”

Besides downloading the Khepri beacon, the loader is designed to set up persistence on the host and checks if the malware is already present at a pre-defined path in the system and employs(“/tmp/.fseventsd”) and if so, compares the MD5 hash value of the payload against the one that’s hosted on the server.

A new version is subsequently downloaded if the hash values don’t match. It’s believed that the feature likely serves as an update mechanism to fetch new versions of the malware as they become available. But SentinelOne also theorized it could be a way to ensure that the payload has not been corrupted or modified after it was dropped.

Cybersecurity

The modified Khepri tool is a feature-packed C2 implant that allows file transfer, system reconnaissance, process execution and control, and command execution with output capture. The C2 server used to communicate with the beacon is “ctl01.termius[.]fun.”

“The latest variant of macOS.ZuRu continues the threat actor’s pattern of trojanizing legitimate macOS applications used by developers and IT professionals,” the researchers said.

“The shift in technique from Dylib injection to trojanizing an embedded helper application is likely an attempt to circumvent certain kinds of detection logic. Even so, the actor’s continued use of certain TTPs – from choice of target applications and domain name patterns to the reuse of file names, persistence and beaconing methods – suggest these are offering continued success in environments lacking sufficient endpoint protection.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Twitter Email Print
Share
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Previous Article Hyundai Reveals the ‘Lightspeed’ Ioniq 6 N
Next Article Keep your pool spotless with the biggest WYBOT sale ever: Save up to $1,000!
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

248.1k Like
69.1k Follow
134k Pin
54.3k Follow

Latest News

First NIO-partnered EV with swappable batteries to go on sale in Q3: report · TechNode
Computing
Murderbot is getting a season 2 on Apple TV Plus
News
UK growth appetite is strong as tech firms expect M&A surge – UKTN
News
Outlook outage takes down Microsoft email service for hours
News

You Might also Like

Computing

First NIO-partnered EV with swappable batteries to go on sale in Q3: report · TechNode

1 Min Read
Computing

We Must Stop Bill Essayli Before It’s Too Late – Knock LA

6 Min Read
Computing

Delve into AI: A brand new column about AI in Africa

4 Min Read
Computing

Can You Trust What AI Tells You About PPC? We Tested It! | WordStream

21 Min Read
//

World of Software is your one-stop website for the latest tech news and updates, follow us now to get the news that matters to you.

Quick Link

  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact

Topics

  • Computing
  • Software
  • Press Release
  • Trending

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

World of SoftwareWorld of Software
Follow US
Copyright © All Rights Reserved. World of Software.
Welcome Back!

Sign in to your account

Lost your password?