New ZuRu Malware Targets macOS Developers via Termius App

Edward Zhou
Edward Zhou

CEO & Co-Founder

 
July 17, 2025 3 min read

New ZuRu Malware Variant Targets macOS Developers via Trojanized Termius App

Cybersecurity researchers have identified a new variant of macOS malware known as ZuRu, which specifically targets developers and IT professionals by embedding malicious code in the legitimate Termius macOS application. This malware leverages a modified Khepri command-and-control (C2) framework, utilizing advanced infection mechanisms that highlight the evolving threat landscape for macOS users.

New macOS Malware ZuRu

Image courtesy of The Hacker News

ZuRu Malware's Evolving Tactics

First identified in 2021, ZuRu initially spread through poisoned search results on platforms like Baidu, redirecting users to malicious sites hosting trojanized versions of popular macOS utilities such as iTerm2, SecureCRT, Navicat, and Microsoft Remote Desktop for Mac. The consistent targeting of backend tools for SSH and remote connections suggests a deliberate focus on developers and IT professionals.

The malware has evolved with significant changes in its infection vector. Earlier variants injected malicious dynamic libraries (.dylib) into the main application bundle. The latest variant modifies an embedded helper application within the legitimate Termius.app, which likely helps it evade existing detection mechanisms.

  • Increased Size: The trojanized Termius.app is larger (248MB) than its legitimate counterpart (225MB) due to the inclusion of malicious binaries.
  • Ad Hoc Code Signing: Attackers replace the original code signature with their own to bypass macOS code signing rules.

Inside the Trojanized Termius App

The compromised Termius app is delivered via a .dmg disk image containing a doctored version of Termius.app. This altered bundle includes two crucial executables:

  • .localized: This serves as the primary malware loader, which, upon execution, downloads a Khepri C2 beacon from download.termius[.]info and writes it to /tmp/.fseventsd.
  • .Termius Helper1: This is a renamed version of the legitimate Termius Helper, ensuring the parent application operates as expected to avoid detection.

Persistence and Communication

To maintain a foothold on the compromised system, the malware establishes persistence through:

  • LaunchDaemon: It requests elevated privileges from the user and writes a persistence plist file named com.apple.xssooxxagent to /Library/LaunchDaemons, ensuring the malware executes hourly.
  • Lock Mechanism: The malware uses a lock file (/tmp/apple-local-ipc.sock.lock) to ensure only one instance is running at a time.
  • Update Mechanism: The loader checks for and downloads new versions of the Khepri payload by comparing MD5 hashes with a remote server, allowing for updates or integrity checks.

Modified Khepri C2 Implant

The downloaded payload is a modified Khepri C2 beacon, a full-featured implant with capabilities such as file transfer, system reconnaissance, process execution, and command execution with output capture. It communicates with its C2 infrastructure using DNS port 53, masquerading as legitimate traffic while reaching out to ctl01.termius[.]fun, which resolves to an Alibaba Cloud-hosted IP.

Indicators of Compromise (IOCs)

Organizations are advised to review the following indicators for detection:

  • File Paths:
    • /Library/LaunchDaemons/com.apple.xssooxxagent.plist
    • /Users/Shared/com.apple.xssooxxagent
    • /private/tmp/Termius
    • /tmp/.fseventsd
    • /tmp/apple-local-ipc.sock.lock
  • SHA-1 Hashes:
    • Khepri C2 Beacon
    • Trojan Mach-O
    • Trojan Disk Image
    • Malware Loader
  • Network Communications:
    • http[:]//download.termius[.]info/bn.log.enc
    • ctl01.termius[.]fun

The latest ZuRu variant underscores the persistent threat to macOS users, particularly those in development and IT roles. It showcases the need for robust endpoint protection to counteract evolving malware tactics.

For organizations looking to enhance their cybersecurity posture, consider tailored solutions from Gopher Security , which offers comprehensive protection against advanced threats. Explore how Gopher Security can safeguard your systems and ensure operational continuity.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article