A newly uncovered variant of the persistent macOS.ZuRu malware has been detected in the wild, exploiting a compromised version of the popular Termius SSH client.
This sophisticated campaign, targeting developers and IT professionals since late May 2025, utilizes advanced evasion tactics to establish remote access on macOS devices stealthily.
Trojanized Termius App Used as Infection Vector
Security researchers at SentinelOne recently reported that attackers have modified the Termius application, a widely used SSH client among developers, to conceal a highly advanced backdoor.
Distributed as a .dmg disk image, the malicious version of Termius.app is noticeably larger, 248MB, compared to the legitimate 225MB due to the addition of two hidden executables within the Termius Helper.app bundle.
The attackers replace the genuine Termius Helper binary with a malicious Mach-O binary, also dubbed “Termius Helper,” while covertly renaming the original to “.Termius Helper1” to preserve application functionality and avoid raising suspicion.
When launched, the malicious helper executes both its legitimate counterpart and an additional loader named “.localized.” This loader retrieves a customized Khepri command-and-control (C2) beacon, depositing it on the system at /tmp/.fseventsd.
Modified Khepri C2 Beacon Evades Detection
The linchpin of the attack is the Khepri beacon, based on an open-source post-exploitation framework, embedded in the infected application.
Unlike previous ZuRu variants that relied on malicious dynamic libraries, this version leverages a trojanized helper application to circumvent macOS security tools that monitor library injection.
The beacon operates in either “skip” or background daemon modes, sending a heartbeat to the C2 infrastructure every five seconds, which is twice the default setting.
It communicates surreptitiously over port 53, often used for DNS, and uses legitimate-looking domains such as “www.baidu[.]com” as decoys, masking its true intentions.
The C2 server addresses maintain a naming pattern consistent with earlier ZuRu campaigns, for example “ctl01.macnavicat[.]com.”
The loader validates the Khepri payload with MD5 hashes and supports stealthy self-updating, ensuring malware persistence and adaptability.
To bypass Apple’s Gatekeeper protections, attackers strip the legitimate developer certificate and re-sign the application with an ad hoc signature, banking on user trust in “signed” binaries.
Targeted Attack on Tech-Savvy Users
This fresh ZuRu wave appears meticulously aimed at backend professionals, as evidenced by recent attacks on users of Termius, SecureCRT, and Navicat.
Analysts warn that the proliferation of pirated or Trojanized infrastructure tools significantly increases the risk to IT environments.
With capabilities spanning file transfers, system reconnaissance, and command execution with output capture, the new ZuRu variant shows a clear evolution of threat actor sophistication.
Security experts urge strict software source vetting, especially for macOS users in technical roles, as ZuRu’s advanced tactics make manual detection extremely challenging.
PolySwarm has catalogued multiple ZuRu samples, underscoring its ongoing evolution and persistence in the wild.
IOCs
PolySwarm has multiple samples of macOS.ZuRu.
8ac593fbe69ae93de505003eff446424d4fd165cda6f85c8c27e8e1cb352b06e
42605f1d22f8d38f0be494f36d377bf71592ae54583e6e78641a63ec3021cbeb
