ZuRu Malware Variant Turns Termius SSH Client into a Weapon Against macOS

A new and highly sophisticated variant of the macOS.ZuRu malware has been uncovered, marking a significant escalation in targeted attacks against developers and IT professionals.

This variant utilizes a trojanized version of the popular Termius SSH client to deploy a modified Khepri command-and-control (C2) beacon, establishing stealthy and persistent remote access on compromised macOS systems.

The campaign, detailed by researchers at SentinelOne, demonstrates evolving attacker tactics designed to evade modern security protections and exploit trust in widely used developer tools.

Sophisticated macOS Backdoor

The infection vector centers around a poisoned Termius application distributed in a malicious .dmg disk image.

While the genuine Termius.app typically weighs in at 225MB, the trojanized build swells to 248MB, thanks to the addition of two malicious executables buried within the Termius Helper.app bundle.

Attackers replace the legitimate helper binary with a payload named “Termius Helper,” relegating the original file to “.Termius Helper1.”

This malicious binary is engineered to seamlessly launch both the genuine application component for user transparency and a loader called “.localized.”

The loader’s role is to fetch and deploy the Khepri C2 beacon, storing it clandestinely at the /tmp/.fseventsd location.

In a departure from earlier ZuRu variants that relied on injecting malicious dynamic libraries (.dylib), this version embeds its backdoor directly into the modified helper application, greatly complicating detection by blinding behavioral or library monitoring defenses.

The retooled Khepri beacon central to this campaign is based on a known post-exploitation framework but is heavily modified for both concealment and agility.

It operates in a dual mode either as a skip process or a persistent background daemon communicating with its C2 infrastructure via a heartbeat every five seconds, notably more frequent than typical surveillance intervals.

Communication is established over DNS port 53, often overlooked by defenders, and leverages deceptive domains such as www.baidu[.]com to mask C2 activity.

The C2 server itself continues established ZuRu naming patterns, including domains like ctl01.macnavicat[.]com.

Modified Khepri C2 Beacon

To gain initial trust and bypass macOS Gatekeeper protections, attackers strip the application’s legitimate developer signature and substitute an ad hoc code signature, exploiting a loophole in how macOS verifies trusted binaries.

The “.localized” loader rigorously verifies the integrity of its malicious payload using MD5 hashing, promptly downloading fresh variants from the C2 server if discrepancies are identified.

This mechanism allows the attackers to update or evolve their malware in place, ensuring resilience and ongoing operational security.

The Khepri framework equips attackers with a wide range of post-compromise capabilities, including arbitrary file transfers, system reconnaissance, process manipulation, and remote shell command execution functions that can ultimately facilitate data exfiltration or further lateral movement within a targeted environment.

According to the Report, The business logic for the attack suggests a deliberate focus on back-end tooling such as Termius, SecureCRT, and Navicat indicating strategic targeting of IT and development infrastructure.

Analysts underscore that this campaign leverages poisoned installers, making rigorous software sourcing and code integrity checks vital to defense.

The persistence and rapid evolution observed in macOS.ZuRu variants reinforce its status as a critical and ongoing threat.

With multiple samples surfaced by researchers, enterprises are urged to remain vigilant for related indicators of compromise and to review security protocols for application downloads.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.