Cybersecurity researchers have discovered new artifacts associated with an Apple macOS malware called ZuRu, which is known to propagate via trojanized versions of legitimate software.
SentinelOne, in a new report shared with The Hacker News, said the malware has been observed masquerading as the cross‑platform SSH client and server‑management tool Termius in late May 2025.
“ZuRu malware continues to prey on macOS users seeking legitimate business tools, adapting its loader and C2 techniques to backdoor its targets,” researchers Phil Stokes and Dinesh Devadoss said.
ZuRu was first documented in September 2021 by a user on Chinese question-and-answer website Zhihu as part of a malicious campaign that hijacked searches for iTerm2, a legitimate macOS Terminal app, to direct users to fake sites that tricked unsuspecting users into downloading the malware.
Then in January 2024, Jamf Threat Labs said it discovered a piece of malware distributed via pirated macOS apps that shared similarities with ZuRu. Some of the other popular software that has been trojanized to deliver the malware include Microsoft’s Remote Desktop for Mac, along with SecureCRT and Navicat.
The fact that ZuRu primarily relies on sponsored web searches for distribution indicates the threat actors behind the malware are more opportunistic than targeted in their attacks, while also ensuring that only those looking for remote connections and database management are compromised.
Like the samples detailed by Jamf, the newly discovered ZuRu artifacts employ a modified version of the open-source post-exploitation toolkit known as Khepri to enable attackers to gain remote control of infected hosts.
“The malware is delivered via a .dmg disk image and contains a hacked version of the genuine Termius.app,” the researchers said. “Since the application bundle inside the disk image has been modified, the attackers have replaced the developer’s code signature with their own ad hoc signature in order to pass macOS code signing rules.”
The altered app packs in two extra executables within Termius Helper.app, a loader named “.localized” that’s designed to download and launch a Khepri command-and-control (C2) beacon from an external server (“download.termius[.]info”) and “.Termius Helper1,” which is a renamed version of the actual Termius Helper app.
“While the use of Khepri was seen in earlier versions of ZuRu, this means of trojanizing a legitimate application varies from the threat actor’s previous technique,” the researchers explained.
“In older versions of ZuRu, the malware authors modified the main bundle’s executable by adding an additional load command referencing an external .dylib, with the dynamic library functioning as the loader for the Khepri backdoor and persistence modules.”
Besides downloading the Khepri beacon, the loader is designed to set up persistence on the host and checks if the malware is already present at a pre-defined path in the system and employs(“/tmp/.fseventsd”) and if so, compares the MD5 hash value of the payload against the one that’s hosted on the server.
A new version is subsequently downloaded if the hash values don’t match. It’s believed that the feature likely serves as an update mechanism to fetch new versions of the malware as they become available. But SentinelOne also theorized it could be a way to ensure that the payload has not been corrupted or modified after it was dropped.
The modified Khepri tool is a feature-packed C2 implant that allows file transfer, system reconnaissance, process execution and control, and command execution with output capture. The C2 server used to communicate with the beacon is “ctl01.termius[.]fun.”
“The latest variant of macOS.ZuRu continues the threat actor’s pattern of trojanizing legitimate macOS applications used by developers and IT professionals,” the researchers said.
“The shift in technique from Dylib injection to trojanizing an embedded helper application is likely an attempt to circumvent certain kinds of detection logic. Even so, the actor’s continued use of certain TTPs – from choice of target applications and domain name patterns to the reuse of file names, persistence and beaconing methods – suggest these are offering continued success in environments lacking sufficient endpoint protection.”
