New ZuRu Malware Variant Targets macOS Users Through Trojanized Termius App

A new variant of the long-running macOS.ZuRu malware has been detected trojanizing the widely used cross-platform SSH client Termius, marking a sophisticated evolution in tactics as cybercriminals continue their campaign against macOS users.

The discovery, which surfaced on social media in late May 2025, highlights how threat actors are now leveraging a modified Khepri C2 framework and new infection mechanisms, underlining growing risks for developers and IT professionals operating in macOS environments.

MacOS Threat Actors

Initially observed in July 2021, ZuRu gained notoriety for targeting macOS users via poisoned Baidu search results, distributing trojanized versions of popular backend tools such as iTerm2, SecureCRT, Navicat, and Microsoft’s Remote Desktop for Mac.

The malware authors’ focus on administrative utilities suggested intent to infiltrate environments managed through SSH and other remote protocols.

JAMF researchers noted a major update in early 2024, as pirated apps began harnessing the Khepri open-source C2 framework for advanced post-infection control.

The latest variant arrives in the form of a malicious Termius disk image (.dmg), inflated beyond the legitimate app’s 225MB size by the inclusion of two malicious binaries, raising the trojan’s footprint to 248MB.

Attackers have modified the app bundle’s code signature to bypass macOS’s gatekeeping, embedding additional payloads within a renamed and oversized Termius Helper binary.

Upon execution, this compromised helper launches both a malware loader (.localized) and its own replacement, with the loader immediately fetching a secondary payload (the Khepri C2 beacon) from a remote server and writing it to the local system.

Shift Infection Vector

A key technical divergence from prior versions lies in the packaging methodology. Rather than injecting malicious dynamic libraries (.dylib) via load commands, this variant embeds executables directly within the helper application, ensuring operational continuity for the user while the attack unfolds covertly in the background.

The loader, .localized, is also responsible for requesting elevated privileges in order to establish persistence via a LaunchDaemon (labeled com.apple.xssooxxagent), which is hard-coded to repeatedly execute itself from the /Users/Shared directory every hour using system-level privileges.

Persistence, lock file management, and update routines are all managed within the loader binary.

Notably, the malware employs a custom decryption mechanism leveraging a hardcoded key string (“my_secret_key”) and a combination of XOR, addition, and subtraction operations, obfuscating the payload against conventional static detection.

A built-in mechanism checks for and updates the main beacon payload by comparing its MD5 hash against a remote value, ensuring attackers can deploy fresh versions as necessary.

Analysis of the altered Khepri beacon uncovered in this campaign reveals a full-featured C2 implant tailored for modern macOS environments, requiring at least macOS Sonoma 14.1 and capable of rapid command execution, file transfer, and system reconnaissance.

The beacon communicates with its C2 infrastructure using DNS port 53, masquerading as legitimate Baidu traffic but ultimately connecting to ctl01.termius[.]fun, an Alibaba Cloud-hosted IP, consistent with domains and infrastructure observed in earlier ZuRu clusters.

Security vendors like SentinelOne have confirmed detection and mitigation capabilities for this new threat. Organizations lacking advanced endpoint protection are advised to urgently review the latest indicators of compromise and harden macOS defenses, as this campaign demonstrates both the persistence and technical acumen of its operators.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates