macOS Users Targeted by New ZuRu Malware Through Compromised Termius App

Security researchers have identified a new variant of the macOS.ZuRu malware that specifically targets developers and IT professionals through a trojanized version of the popular SSH client Termius.

This latest evolution of the malware, which first emerged in July 2021, demonstrates increasingly sophisticated techniques to evade detection while maintaining persistence on infected systems.

Evolution of Attack Methods

The ZuRu malware family has undergone significant evolution since its initial discovery by a Chinese blogger in 2021.

Originally, the malware was distributed through poisoned search results on Baidu, redirecting users searching for popular Terminal emulator iTerm2 to malicious sites hosting trojanized versions.

The threat actors subsequently expanded their targets to include other macOS utilities such as SecureCRT, Navicat, and Microsoft’s Remote Desktop for Mac.

In January 2024, researchers at JAMF discovered that the malware had evolved to leverage the open-source Khepri C2 framework for post-infection operations.

The latest sample, discovered in May 2025, represents another significant technical advancement, employing new methods to trojanize legitimate applications while utilizing a modified Khepri beacon for command and control operations.

Technical Analysis Reveals Sophisticated Infection Process

The malware is delivered via a .dmg disk image containing a compromised version of Termius.app.

The trojanized version is notably larger at 248MB compared to the legitimate 225MB version, due to additional malicious binaries embedded within the application bundle.

The attackers replace the developer’s code signature with their own ad hoc signature to bypass macOS code signing restrictions.

The infection process involves replacing the legitimate Termius Helper binary with a massive 25MB Mach-O file that launches both the malware loader (.localized) and the original helper application to maintain normal functionality.

The .localized component downloads additional payloads from download.termius[.]info and establishes persistence through a LaunchDaemon with the label com.apple.xssooxxagent.

A notable technical improvement is the enhanced encryption routine.

While earlier versions used a simple XOR cipher with key 0x7a, the new variant employs a more complex decryption function using the key string “my_secret_key” combined with XOR, addition, and subtraction operations to obfuscate communications and downloaded payloads.

Detection and Protection Measures

The modified Khepri C2 beacon operates with a 5-second heartbeat interval and communicates with the command and control server at ctl01.termius[.]fun, which resolves to Alibaba Cloud IP 47[.]238.28[.]21.

This follows patterns observed in previous ZuRu campaigns, indicating consistent infrastructure choices by the threat actors.

SentinelOne Singularity provides comprehensive protection against macOS.ZuRu, detecting and blocking all malicious components.

Organizations without adequate endpoint protection are advised to monitor for the specific indicators and implement appropriate security measures to protect against this evolving threat targeting macOS users in technical roles.