ZuRu Malware
Cybersecurity researchers recently uncovered new artifacts linked to an Apple macOS malware called ZuRu. This malware spreads through trojanized versions of legitimate software.
In a new report shared with The Hacker News, SentinelOne revealed that the malware appeared in late May 2025, posing as the cross-platform SSH client and server-management tool Termius.
Researchers Phil Stokes and Dinesh Devadoss noted, “ZuRu malware continues to prey on macOS users seeking legitimate business tools, adapting its loader and C2 techniques to backdoor its targets.”
Initially, a user on the Chinese question-and-answer website Zhihu documented ZuRu in September 2021. The malicious campaign hijacked searches for iTerm2, a legitimate macOS Terminal app, and redirected users to fake websites that tricked them into downloading the malware.
Then, in January 2024, Jamf Threat Labs identified a piece of malware that shared characteristics with ZuRu. Attackers distributed it through pirated macOS apps. Moreover, they trojanized other popular software, such as Microsoft’s Remote Desktop for Mac, SecureCRT, and Navicat, to deliver the malware.
How it works?
Because ZuRu primarily relies on sponsored web searches for distribution, the threat actors behind it appear to follow an opportunistic approach. At the same time, they target users actively searching for remote connection and database management tools.
Much like the samples Jamf highlighted, the newly identified ZuRu artifacts use a modified version of Khepri, an open-source post-exploitation toolkit, to grant attackers remote control over infected machines.
SentinelOne explained, “The malware arrives via a .dmg disk image and includes a hacked version of the genuine Termius.app.” The attackers replaced the developer’s code signature with their own ad hoc signature, enabling the malware to pass macOS code signing checks after modifying the application bundle inside the disk image.
The altered app includes two additional executables within Termius Helper.app. The first, a loader named “.localized,” downloads and launches a Khepri command-and-control (C2) beacon from the external server “download.termius[.]info.” The second, “.Termius Helper1,” is a renamed version of the original Termius Helper app.
Although Khepri appeared in earlier ZuRu variants, the method of trojanizing a legitimate application marks a shift from previous tactics. Previously, the attackers modified the main bundle’s executable by adding a load command for an external .dylib, which functioned as the loader for the Khepri backdoor and persistence modules.
Beyond downloading the Khepri beacon, the loader also establishes persistence on the host. It checks whether the malware already exists at a pre-defined system path (“/tmp/.fseventsd”) and compares the MD5 hash of the local payload to the version hosted on the server.
If the hash values differ, the loader downloads a new version. This behavior likely serves as an update mechanism to fetch fresh malware versions. However, SentinelOne also suggested it might verify that the payload remains unaltered after initial installation.
The modified Khepri tool functions as a robust C2 implant. It supports file transfer, system reconnaissance, process execution and control and command execution with output capture. The malware communicates with the C2 server at “ctl01.termius[.]fun.”
According to the researchers, “The latest variant of macOS.ZuRu continues the threat actor’s trend of trojanizing legitimate macOS apps used by developers and IT professionals.”
They added, “The move from Dylib injection to embedding a trojanized helper app likely aims to bypass specific detection logic. Still, the actor’s ongoing use of certain TTPs — such as target application choice, domain patterns, and consistent file names — shows these techniques continue to succeed in environments without strong endpoint protection.”
Source: TheHackerNews
Read more at Impreza News
