New ZuRu Malware Targets macOS Developers via Termius App

Edward Zhou
Edward Zhou

CEO & Co-Founder

 
July 17, 2025 3 min read

New ZuRu Malware Variant Targets macOS Developers via Trojanized Termius App

Cybersecurity researchers have identified a new variant of macOS malware known as ZuRu, which specifically targets developers and IT professionals by embedding malicious code in the legitimate Termius macOS application. This malware leverages a modified Khepri command-and-control (C2) framework, utilizing advanced infection mechanisms that highlight the evolving threat landscape for macOS users.

New macOS Malware ZuRu

Image courtesy of The Hacker News

ZuRu Malware's Evolving Tactics

First identified in 2021, ZuRu initially spread through poisoned search results on platforms like Baidu, redirecting users to malicious sites hosting trojanized versions of popular macOS utilities such as iTerm2, SecureCRT, Navicat, and Microsoft Remote Desktop for Mac. The consistent targeting of backend tools for SSH and remote connections suggests a deliberate focus on developers and IT professionals.

The malware has evolved with significant changes in its infection vector. Earlier variants injected malicious dynamic libraries (.dylib) into the main application bundle. The latest variant modifies an embedded helper application within the legitimate Termius.app, which likely helps it evade existing detection mechanisms.

  • Increased Size: The trojanized Termius.app is larger (248MB) than its legitimate counterpart (225MB) due to the inclusion of malicious binaries.
  • Ad Hoc Code Signing: Attackers replace the original code signature with their own to bypass macOS code signing rules.

Inside the Trojanized Termius App

The compromised Termius app is delivered via a .dmg disk image containing a doctored version of Termius.app. This altered bundle includes two crucial executables:

  • .localized: This serves as the primary malware loader, which, upon execution, downloads a Khepri C2 beacon from download.termius[.]info and writes it to /tmp/.fseventsd.
  • .Termius Helper1: This is a renamed version of the legitimate Termius Helper, ensuring the parent application operates as expected to avoid detection.

Persistence and Communication

To maintain a foothold on the compromised system, the malware establishes persistence through:

  • LaunchDaemon: It requests elevated privileges from the user and writes a persistence plist file named com.apple.xssooxxagent to /Library/LaunchDaemons, ensuring the malware executes hourly.
  • Lock Mechanism: The malware uses a lock file (/tmp/apple-local-ipc.sock.lock) to ensure only one instance is running at a time.
  • Update Mechanism: The loader checks for and downloads new versions of the Khepri payload by comparing MD5 hashes with a remote server, allowing for updates or integrity checks.

Modified Khepri C2 Implant

The downloaded payload is a modified Khepri C2 beacon, a full-featured implant with capabilities such as file transfer, system reconnaissance, process execution, and command execution with output capture. It communicates with its C2 infrastructure using DNS port 53, masquerading as legitimate traffic while reaching out to ctl01.termius[.]fun, which resolves to an Alibaba Cloud-hosted IP.

Indicators of Compromise (IOCs)

Organizations are advised to review the following indicators for detection:

  • File Paths:
    • /Library/LaunchDaemons/com.apple.xssooxxagent.plist
    • /Users/Shared/com.apple.xssooxxagent
    • /private/tmp/Termius
    • /tmp/.fseventsd
    • /tmp/apple-local-ipc.sock.lock
  • SHA-1 Hashes:
    • Khepri C2 Beacon
    • Trojan Mach-O
    • Trojan Disk Image
    • Malware Loader
  • Network Communications:
    • http[:]//download.termius[.]info/bn.log.enc
    • ctl01.termius[.]fun

The latest ZuRu variant underscores the persistent threat to macOS users, particularly those in development and IT roles. It showcases the need for robust endpoint protection to counteract evolving malware tactics.

For organizations looking to enhance their cybersecurity posture, consider tailored solutions from Gopher Security , which offers comprehensive protection against advanced threats. Explore how Gopher Security can safeguard your systems and ensure operational continuity.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

Instagram Vulnerability Exposes Private Data of Millions
Instagram security

Instagram Vulnerability Exposes Private Data of Millions

Instagram's private posts exposed, millions affected by data breaches, and new location features pose risks. Discover how Gopher Security's AI-powered Zero-Trust architecture protects your data. Learn more!

By Brandon Woo January 27, 2026 4 min read
common.read_full_article
Closing the Cloud Complexity Gap: Insights from 2026 Security Reports
cloud security

Closing the Cloud Complexity Gap: Insights from 2026 Security Reports

Navigate the escalating complexity of cloud security. Discover how AI, Zero-Trust, and unified ecosystems are essential to combatting modern threats. Learn more!

By Divyansh Ingle January 26, 2026 6 min read
common.read_full_article
AI-Driven Cybersecurity Innovations: The Future of Threat Prevention
AI agents security

AI-Driven Cybersecurity Innovations: The Future of Threat Prevention

AI agents are prime targets for cyberattacks. Discover evolving threats like prompt injection & AI-powered exploits, and learn how to fortify your defenses. Read now!

By Brandon Woo January 22, 2026 5 min read
common.read_full_article
GootLoader Malware Evades Detection Using Nested ZIP Archives
GootLoader

GootLoader Malware Evades Detection Using Nested ZIP Archives

GootLoader is back with advanced tricks, using malformed ZIPs to bypass security & target businesses. Learn how to detect and defend against this threat. Protect your assets!

By Edward Zhou January 21, 2026 3 min read
common.read_full_article