A sophisticated new variant of the macOS.ZuRu malware has been identified, targeting macOS users through a compromised version of the widely-used Termius SSH client. This development signifies a notable shift in the malware’s distribution strategy, moving from previous methods like search engine poisoning to directly embedding malicious components within legitimate applications favored by developers and IT professionals.
Background on ZuRu Malware
The ZuRu malware family first emerged in July 2021, when a Chinese blogger discovered trojanized versions of popular macOS utilities being disseminated through manipulated search results. Initially, the malware targeted applications such as iTerm2, SecureCRT, and Microsoft Remote Desktop, focusing on tools commonly used by backend developers and system administrators who require SSH and remote connection capabilities.
Evolution in Attack Methodology
In its latest iteration, identified in late May 2025, the threat actors have refined their approach by embedding malicious components directly within the target application’s helper processes. This method replaces the previous technique of dynamic library injection, demonstrating a deeper understanding of macOS security mechanisms and an effort to evade traditional detection methods.
Details of the Compromised Termius Application
The weaponized Termius application is distributed as a disk image file measuring 248MB, which is noticeably larger than the legitimate 225MB version due to the inclusion of malicious binaries. To circumvent macOS code signing requirements, the attackers have replaced the original developer signature with their own ad hoc signature, allowing the modified application to run without raising immediate security alerts.
Infection Mechanism and Persistence Tactics
The malware employs a multi-stage infection process:
1. Modification of Helper Component: The legitimate Termius Helper.app component is altered. The original 248KB Termius Helper binary is renamed to `.Termius Helper1`, and a 25MB malicious replacement is inserted.
2. Execution and Loader Activation: Upon launching the compromised application, the trojanized helper initiates both the original application to maintain normal functionality and a malware loader named `.localized` to commence the infection chain.
3. Establishing Persistence: The loader creates a LaunchDaemon labeled `com.apple.xssooxxagent`, scheduled to execute every hour from `/Users/Shared/com.apple.xssooxxagent`. This ensures the malware remains active on the system.
4. Payload Retrieval and Execution: The loader downloads an encrypted payload from `download.termius[.]info/bn.log.enc` using a hardcoded decryption key, writing the decrypted Khepri C2 beacon to `/tmp/.fseventsd`.
5. Command and Control Communication: The beacon maintains a rapid 5-second heartbeat with the command and control server at `ctl01.termius[.]fun`, utilizing port 53 to blend with legitimate DNS traffic while employing `www.baidu[.]com` as a decoy domain.
Implications and Recommendations
This evolution in the ZuRu malware’s tactics underscores the increasing sophistication of threats targeting macOS users, particularly developers and IT professionals who rely on tools like Termius for their daily operations. The direct compromise of legitimate applications poses significant risks, as it can bypass traditional detection methods that focus on external library injections.
To mitigate the risk of infection:
– Download Applications from Trusted Sources: Always obtain software from official vendor websites or the Mac App Store to ensure authenticity.
– Verify Application Integrity: Check the file size and code signature of downloaded applications. For instance, the legitimate Termius application should be approximately 225MB.
– Monitor System Activity: Regularly scan for unusual files or processes, especially in directories like `/Users/Shared` and `/Library/LaunchDaemons`.
– Utilize Security Tools: Employ endpoint protection solutions capable of detecting and mitigating such sophisticated threats.
By remaining vigilant and adhering to best practices in software acquisition and system monitoring, users can reduce the risk of falling victim to such advanced malware campaigns.
