Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

ICEX Forum 2025 Opens: FySelf’s TwinH Showcases AI Innovation

Fake Games and AI Companies Push Malware to Cryptocurrency Users via Telegram and Discord

LGND wants to make ChatGpt for the Earth

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » New Zur Malware Variant Variant Targeting Developers via Trojanized Termius MacOS App
Identity

New Zur Malware Variant Variant Targeting Developers via Trojanized Termius MacOS App

userBy userJuly 10, 2025No Comments4 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

July 10, 2025Ravi LakshmananEndpoint security/vulnerability

New MacOS Malware Zuru

Cybersecurity researchers have discovered a new artifact related to Apple MacOS malware called Zuru.

Sentinelone said in a new report shared with Hacker News that it has been observed that malware has been embellished in the cross-platform SSH client and server management tool Termius in late May 2025.

“Zuru Malware continues to attract MACOS users who are looking for legitimate business tools and adapts them to back-arrange loaders and C2 techniques,” said researchers Phil Stokes and Dinesh Devadoss.

Zuru was first documented in September 2021 as part of a malicious campaign in which users of China’s Q&A website Zhihu hijacked the legitimate MacOS device app ITERM2, as well as instructing sites that forge sites that are cheating on users who don’t suspect users.

Cybersecurity

Then, in January 2024, JAMF Threat Labs said it had discovered some of the malware distributed via pirated MacOS apps that share similarities with Zuru. Other popular software troilered to deliver malware include Microsoft’s Remote Desktop for Mac, SecureCRT and NAVICAT.

The fact that Zuru primarily relies on sponsored web searches for distributions indicates that the threat actors behind the malware are more opportunistic than targeted in attacks.

Similar to the sample detailed by JAMF, the newly discovered Zuru artifact uses a modified version of the post-open source post-explosion toolkit known as Khepri to allow attackers to gain remote control of infected hosts.

“The malware is delivered via .DMG disk images and includes the Hacked version of the real Termius.App,” the researcher said. “Because the application bundle in the disk image has been changed, the attacker replaced the developer’s code signature with his own ad hoc signature in order to pass MacOS code signature rules.”

The modified app will be packed into two additional executables in Termius Helper.App. App, a loader named “Localized” is designed to download and launch Khepri command and control (C2) beacons from an external server (“Download.termius[.]info “)and” .termius helper1 ” is the renamed version of the actual Termius Helper app.

“The use of Kepri was seen in previous versions of Zuru, but this measure of troilizing legal applications is different from previous techniques of threat actors,” the researchers explained.

“In older versions of Zuru, the malware author modified the executable in the main bundle by adding an additional load command that references an external .dylib.

In addition to downloading Khepri beacons, the loader is designed to set up persistence on the host, checking if malware already exists in a predefined path in the system (“/TMP/.FSEVENTSD”).

If the hash values ​​do not match, the new version will be downloaded later. This feature is likely to serve as an update mechanism for getting newer versions of the new version as malware becomes available. However, Sentinelone could be a way to ensure that the payload is not corrupted or altered after it has been removed.

Cybersecurity

The modified Khepri tool is a feature-packed C2 implant that allows for file transfer, system reconnaissance, process execution and control, and command execution through output capture. The C2 server used to communicate with the beacon is “CTL01.termius”.[.]fun. “

“The latest variant of Macos.zuru continues the pattern of threat actors that troilize legitimate MacOS applications used by developers and IT professionals,” the researchers said.

“The shift in techniques from dilib injection to troilering embedded helper applications could be an attempt to avoid certain types of detection logic. Still, it suggests that actors continue to use specific TTPs, providing success in continuous endpoint protection from target application and domain name selection, file name reuse, persistence and beacon methods.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

#BlockchainIdentity #Cybersecurity #DataProtection #DigitalEthics #DigitalIdentity #Privacy
Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleAMD warns about new temporary scheduler attacks affecting a wide range of CPUs
Next Article What security leaders need to know about AI governance in SaaS
user
  • Website

Related Posts

ICEX Forum 2025 Opens: FySelf’s TwinH Showcases AI Innovation

July 10, 2025

Fake Games and AI Companies Push Malware to Cryptocurrency Users via Telegram and Discord

July 10, 2025

Four have been arrested in a £440 million cyberattack on Marks & Spencer, Co-ops and Harrods

July 10, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

ICEX Forum 2025 Opens: FySelf’s TwinH Showcases AI Innovation

Fake Games and AI Companies Push Malware to Cryptocurrency Users via Telegram and Discord

LGND wants to make ChatGpt for the Earth

EU Chemical Industry Action Plan to Fight PFA

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

ICEX Forum 2025 Opens: FySelf’s TwinH Showcases AI Innovation

The Future of Process Automation is Here: Meet TwinH

Robots Play Football in Beijing: A Glimpse into China’s Ambitious AI Future

TwinH: A New Frontier in the Pursuit of Immortality?

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.