New ZuRu Malware Targets macOS Developers via Termius App

Edward Zhou
Edward Zhou

CEO & Co-Founder

 
July 17, 2025 3 min read

New ZuRu Malware Variant Targets macOS Developers via Trojanized Termius App

Cybersecurity researchers have identified a new variant of macOS malware known as ZuRu, which specifically targets developers and IT professionals by embedding malicious code in the legitimate Termius macOS application. This malware leverages a modified Khepri command-and-control (C2) framework, utilizing advanced infection mechanisms that highlight the evolving threat landscape for macOS users.

New macOS Malware ZuRu

Image courtesy of The Hacker News

ZuRu Malware's Evolving Tactics

First identified in 2021, ZuRu initially spread through poisoned search results on platforms like Baidu, redirecting users to malicious sites hosting trojanized versions of popular macOS utilities such as iTerm2, SecureCRT, Navicat, and Microsoft Remote Desktop for Mac. The consistent targeting of backend tools for SSH and remote connections suggests a deliberate focus on developers and IT professionals.

The malware has evolved with significant changes in its infection vector. Earlier variants injected malicious dynamic libraries (.dylib) into the main application bundle. The latest variant modifies an embedded helper application within the legitimate Termius.app, which likely helps it evade existing detection mechanisms.

  • Increased Size: The trojanized Termius.app is larger (248MB) than its legitimate counterpart (225MB) due to the inclusion of malicious binaries.
  • Ad Hoc Code Signing: Attackers replace the original code signature with their own to bypass macOS code signing rules.

Inside the Trojanized Termius App

The compromised Termius app is delivered via a .dmg disk image containing a doctored version of Termius.app. This altered bundle includes two crucial executables:

  • .localized: This serves as the primary malware loader, which, upon execution, downloads a Khepri C2 beacon from download.termius[.]info and writes it to /tmp/.fseventsd.
  • .Termius Helper1: This is a renamed version of the legitimate Termius Helper, ensuring the parent application operates as expected to avoid detection.

Persistence and Communication

To maintain a foothold on the compromised system, the malware establishes persistence through:

  • LaunchDaemon: It requests elevated privileges from the user and writes a persistence plist file named com.apple.xssooxxagent to /Library/LaunchDaemons, ensuring the malware executes hourly.
  • Lock Mechanism: The malware uses a lock file (/tmp/apple-local-ipc.sock.lock) to ensure only one instance is running at a time.
  • Update Mechanism: The loader checks for and downloads new versions of the Khepri payload by comparing MD5 hashes with a remote server, allowing for updates or integrity checks.

Modified Khepri C2 Implant

The downloaded payload is a modified Khepri C2 beacon, a full-featured implant with capabilities such as file transfer, system reconnaissance, process execution, and command execution with output capture. It communicates with its C2 infrastructure using DNS port 53, masquerading as legitimate traffic while reaching out to ctl01.termius[.]fun, which resolves to an Alibaba Cloud-hosted IP.

Indicators of Compromise (IOCs)

Organizations are advised to review the following indicators for detection:

  • File Paths:
    • /Library/LaunchDaemons/com.apple.xssooxxagent.plist
    • /Users/Shared/com.apple.xssooxxagent
    • /private/tmp/Termius
    • /tmp/.fseventsd
    • /tmp/apple-local-ipc.sock.lock
  • SHA-1 Hashes:
    • Khepri C2 Beacon
    • Trojan Mach-O
    • Trojan Disk Image
    • Malware Loader
  • Network Communications:
    • http[:]//download.termius[.]info/bn.log.enc
    • ctl01.termius[.]fun

The latest ZuRu variant underscores the persistent threat to macOS users, particularly those in development and IT roles. It showcases the need for robust endpoint protection to counteract evolving malware tactics.

For organizations looking to enhance their cybersecurity posture, consider tailored solutions from Gopher Security , which offers comprehensive protection against advanced threats. Explore how Gopher Security can safeguard your systems and ensure operational continuity.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

React2Shell Vulnerability CVE-2025-55182: Exploitation Threats and Trends
React2Shell vulnerability

React2Shell Vulnerability CVE-2025-55182: Exploitation Threats and Trends

Critical React2Shell RCE vulnerability exploited by threat actors. Learn about attacker techniques, observed payloads like crypto miners, and how to protect your systems. Read now!

By Divyansh Ingle December 12, 2025 8 min read
Read full article
WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups
WinRAR vulnerability

WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups

CISA flags WinRAR CVE-2025-6218 as actively exploited. Learn about this path traversal flaw and how to protect your systems. Update now!

By Jim Gagnard December 11, 2025 3 min read
Read full article
Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers
malicious VSCode extensions

Malicious VSCode Extensions Launch Multi-Stage Attacks and Infostealers

Beware of malicious VSCode extensions & device code phishing scams. Learn how these attacks steal credentials, capture screens, and hijack sessions. Protect yourself now!

By Alan V Gutnov December 10, 2025 6 min read
Read full article
PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure
BRICKSTORM malware

PRC State-Sponsored BRICKSTORM Malware Targets Critical Infrastructure

Discover how PRC state actors are using BRICKSTORM malware to gain persistent access via VMware. Learn about its advanced evasion techniques and how to defend your systems. Read now!

By Divyansh Ingle December 9, 2025 3 min read
Read full article