A newly uncovered variant of the persistent macOS.ZuRu malware has been detected in the wild, exploiting a compromised version of the popular Termius SSH client.
This sophisticated campaign, targeting developers and IT professionals since late May 2025, utilizes advanced evasion tactics to establish remote access on macOS devices stealthily.
Security researchers at SentinelOne recently reported that attackers have modified the Termius application, a widely used SSH client among developers, to conceal a highly advanced backdoor.
Distributed as a .dmg disk image, the malicious version of Termius.app is noticeably larger, 248MB, compared to the legitimate 225MB due to the addition of two hidden executables within the Termius Helper.app bundle.
The attackers replace the genuine Termius Helper binary with a malicious Mach-O binary, also dubbed “Termius Helper,” while covertly renaming the original to “.Termius Helper1” to preserve application functionality and avoid raising suspicion.
When launched, the malicious helper executes both its legitimate counterpart and an additional loader named “.localized.” This loader retrieves a customized Khepri command-and-control (C2) beacon, depositing it on the system at /tmp/.fseventsd.
The linchpin of the attack is the Khepri beacon, based on an open-source post-exploitation framework, embedded in the infected application.
Unlike previous ZuRu variants that relied on malicious dynamic libraries, this version leverages a trojanized helper application to circumvent macOS security tools that monitor library injection.
The beacon operates in either “skip” or background daemon modes, sending a heartbeat to the C2 infrastructure every five seconds, which is twice the default setting.
It communicates surreptitiously over port 53, often used for DNS, and uses legitimate-looking domains such as “www.baidu[.]com” as decoys, masking its true intentions.
The C2 server addresses maintain a naming pattern consistent with earlier ZuRu campaigns, for example “ctl01.macnavicat[.]com.”
The loader validates the Khepri payload with MD5 hashes and supports stealthy self-updating, ensuring malware persistence and adaptability.
To bypass Apple’s Gatekeeper protections, attackers strip the legitimate developer certificate and re-sign the application with an ad hoc signature, banking on user trust in “signed” binaries.
This fresh ZuRu wave appears meticulously aimed at backend professionals, as evidenced by recent attacks on users of Termius, SecureCRT, and Navicat.
Analysts warn that the proliferation of pirated or Trojanized infrastructure tools significantly increases the risk to IT environments.
With capabilities spanning file transfers, system reconnaissance, and command execution with output capture, the new ZuRu variant shows a clear evolution of threat actor sophistication.
Security experts urge strict software source vetting, especially for macOS users in technical roles, as ZuRu’s advanced tactics make manual detection extremely challenging.
PolySwarm has catalogued multiple ZuRu samples, underscoring its ongoing evolution and persistence in the wild.
PolySwarm has multiple samples of macOS.ZuRu.
8ac593fbe69ae93de505003eff446424d4fd165cda6f85c8c27e8e1cb352b06e
42605f1d22f8d38f0be494f36d377bf71592ae54583e6e78641a63ec3021cbeb
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…