New ZuRu Malware Targets macOS Developers via Termius App

Edward Zhou
Edward Zhou

CEO & Co-Founder

 
July 17, 2025
3 min read

New ZuRu Malware Variant Targets macOS Developers via Trojanized Termius App

Cybersecurity researchers have identified a new variant of macOS malware known as ZuRu, which specifically targets developers and IT professionals by embedding malicious code in the legitimate Termius macOS application. This malware leverages a modified Khepri command-and-control (C2) framework, utilizing advanced infection mechanisms that highlight the evolving threat landscape for macOS users.

New macOS Malware ZuRu

Image courtesy of The Hacker News

ZuRu Malware's Evolving Tactics

First identified in 2021, ZuRu initially spread through poisoned search results on platforms like Baidu, redirecting users to malicious sites hosting trojanized versions of popular macOS utilities such as iTerm2, SecureCRT, Navicat, and Microsoft Remote Desktop for Mac. The consistent targeting of backend tools for SSH and remote connections suggests a deliberate focus on developers and IT professionals.

The malware has evolved with significant changes in its infection vector. Earlier variants injected malicious dynamic libraries (.dylib) into the main application bundle. The latest variant modifies an embedded helper application within the legitimate Termius.app, which likely helps it evade existing detection mechanisms.

  • Increased Size: The trojanized Termius.app is larger (248MB) than its legitimate counterpart (225MB) due to the inclusion of malicious binaries.
  • Ad Hoc Code Signing: Attackers replace the original code signature with their own to bypass macOS code signing rules.

Inside the Trojanized Termius App

The compromised Termius app is delivered via a .dmg disk image containing a doctored version of Termius.app. This altered bundle includes two crucial executables:

  • .localized: This serves as the primary malware loader, which, upon execution, downloads a Khepri C2 beacon from download.termius[.]info and writes it to /tmp/.fseventsd.
  • .Termius Helper1: This is a renamed version of the legitimate Termius Helper, ensuring the parent application operates as expected to avoid detection.

Persistence and Communication

To maintain a foothold on the compromised system, the malware establishes persistence through:

  • LaunchDaemon: It requests elevated privileges from the user and writes a persistence plist file named com.apple.xssooxxagent to /Library/LaunchDaemons, ensuring the malware executes hourly.
  • Lock Mechanism: The malware uses a lock file (/tmp/apple-local-ipc.sock.lock) to ensure only one instance is running at a time.
  • Update Mechanism: The loader checks for and downloads new versions of the Khepri payload by comparing MD5 hashes with a remote server, allowing for updates or integrity checks.

Modified Khepri C2 Implant

The downloaded payload is a modified Khepri C2 beacon, a full-featured implant with capabilities such as file transfer, system reconnaissance, process execution, and command execution with output capture. It communicates with its C2 infrastructure using DNS port 53, masquerading as legitimate traffic while reaching out to ctl01.termius[.]fun, which resolves to an Alibaba Cloud-hosted IP.

Indicators of Compromise (IOCs)

Organizations are advised to review the following indicators for detection:

  • File Paths:
    • /Library/LaunchDaemons/com.apple.xssooxxagent.plist
    • /Users/Shared/com.apple.xssooxxagent
    • /private/tmp/Termius
    • /tmp/.fseventsd
    • /tmp/apple-local-ipc.sock.lock
  • SHA-1 Hashes:
    • Khepri C2 Beacon
    • Trojan Mach-O
    • Trojan Disk Image
    • Malware Loader
  • Network Communications:
    • http[:]//download.termius[.]info/bn.log.enc
    • ctl01.termius[.]fun

The latest ZuRu variant underscores the persistent threat to macOS users, particularly those in development and IT roles. It showcases the need for robust endpoint protection to counteract evolving malware tactics.

For organizations looking to enhance their cybersecurity posture, consider tailored solutions from Gopher Security , which offers comprehensive protection against advanced threats. Explore how Gopher Security can safeguard your systems and ensure operational continuity.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

2026 Cybersecurity Trends: Dominance of Vulnerability Exploits
vulnerability exploits

2026 Cybersecurity Trends: Dominance of Vulnerability Exploits

Vulnerability exploits now account for 40% of cyber intrusions, surpassing phishing. Learn how shrinking patch windows and edge device targets are changing security.

By Brandon Woo April 6, 2026 3 min read
common.read_full_article
Surge in Vulnerability Exploits: Cyber Intrusions Trends 2026
cybersecurity trends 2026

Surge in Vulnerability Exploits: Cyber Intrusions Trends 2026

Vulnerability exploits now drive 40% of cyberattacks as hackers weaponize flaws within hours. Learn why traditional patching is failing and how to adapt. Read more.

By Divyansh Ingle March 30, 2026 3 min read
common.read_full_article
Surge in Vulnerability Exploits Dominates 2026 Cyber Intrusions
Vulnerability Exploitation

Surge in Vulnerability Exploits Dominates 2026 Cyber Intrusions

Hackers are weaponizing zero-days within hours of disclosure, leaving traditional patch cycles in the dust. Learn how to bridge the security gap with MFA and Zero-Trust.

By Alan V Gutnov March 23, 2026 4 min read
common.read_full_article
Vulnerability Exploits Dominate Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Dominate Cyber Intrusions in 2026 Trends

Exploits are the leading cause of cyber intrusions, outpacing phishing. Discover the latest trends and essential strategies to protect your organization. Read now!

By Brandon Woo March 16, 2026 3 min read
common.read_full_article