Cybersecurity researchers have identified a new variant of the ZuRu malware, which is now targeting macOS users through a trojanized version of the Termius application—a widely used SSH client and server management tool. This discovery underscores the evolving tactics of cybercriminals aiming to exploit professionals in the development and IT sectors.
Background on ZuRu Malware
First documented in September 2021, ZuRu malware initially spread through malicious versions of legitimate macOS applications. Users searching for tools like iTerm2 were redirected to counterfeit websites, leading them to download infected software. Once installed, ZuRu would execute scripts in the background, compromising sensitive data and granting unauthorized access to attackers.
In January 2024, security firm Jamf Threat Labs reported a resurgence of ZuRu, noting its distribution via pirated versions of popular macOS applications such as Microsoft’s Remote Desktop for Mac, SecureCRT, and Navicat Premium. These incidents highlighted the malware’s adaptability and its focus on applications commonly used by developers and IT professionals.
Recent Developments: Termius Application Compromise
In late May 2025, researchers from SentinelOne discovered that ZuRu had evolved to target the Termius application. This application is favored by developers for its robust SSH capabilities and server management features. The malware was distributed through a disk image (.dmg) file containing a modified version of Termius. To bypass macOS’s code signing requirements, attackers replaced the original developer’s signature with an ad hoc signature.
Within the compromised Termius application, two additional executables were embedded:
1. .localized: A loader designed to download and execute a Khepri command-and-control (C2) beacon from an external server.
2. .Termius Helper1: A renamed version of the legitimate Termius Helper app, ensuring the application functions as expected to avoid raising user suspicion.
The Khepri tool, an open-source post-exploitation framework, provides attackers with extensive control over infected systems, including file transfer capabilities, system reconnaissance, and the execution of arbitrary commands.
Distribution Tactics and Target Audience
The distribution method for this variant of ZuRu involves leveraging sponsored web searches to direct users to malicious download sites. This strategy indicates an opportunistic approach, aiming to compromise individuals seeking specific tools for remote connections and database management. By focusing on applications like Termius, the attackers are specifically targeting developers and IT professionals who rely on such tools for their daily operations.
Technical Analysis and Persistence Mechanisms
Upon execution, the loader (.localized) not only downloads the Khepri beacon but also establishes persistence on the infected system. It checks for the presence of the malware at a predefined system path (/tmp/.fseventsd) and compares its MD5 hash with the version hosted on the attacker’s server. If discrepancies are found, a new version is downloaded, suggesting an update mechanism to ensure the malware remains effective and undetected.
This persistence mechanism allows the malware to survive system reboots and maintain a foothold on the compromised machine, enabling continuous unauthorized access and potential data exfiltration.
Implications for macOS Users
The emergence of this ZuRu variant highlights the increasing sophistication of malware targeting macOS platforms. Historically perceived as more secure than other operating systems, macOS is now facing threats that exploit user trust in legitimate applications. The focus on tools used by developers and IT professionals suggests that attackers are aiming to infiltrate environments with elevated privileges, potentially leading to more significant security breaches.
Preventative Measures and Recommendations
To mitigate the risk of infection from such malware, macOS users, particularly those in development and IT roles, should adopt the following practices:
1. Download Software from Trusted Sources: Always obtain applications directly from official websites or the Mac App Store. Avoid downloading software from third-party sites, especially those offering pirated versions.
2. Verify Application Integrity: Before installation, check the digital signature of the application to ensure it hasn’t been tampered with.
3. Keep Systems Updated: Regularly update macOS and installed applications to benefit from the latest security patches.
4. Utilize Security Software: Employ reputable antivirus and anti-malware solutions that can detect and prevent malicious activities.
5. Educate and Train Staff: Ensure that all team members are aware of the risks associated with downloading and installing software from unverified sources.
Conclusion
The adaptation of ZuRu malware to target the Termius application signifies a concerning trend in cyber threats against macOS users. By compromising tools essential to developers and IT professionals, attackers aim to gain unauthorized access to systems with elevated privileges. Vigilance, adherence to best security practices, and continuous education are crucial in defending against such evolving threats.
