
Cybersecurity researchers have discovered a new artifact related to Apple MacOS malware called Zuru.
Sentinelone said in a new report shared with Hacker News that it has been observed that malware has been embellished in the cross-platform SSH client and server management tool Termius in late May 2025.
“Zuru Malware continues to attract MACOS users who are looking for legitimate business tools and adapts them to back-arrange loaders and C2 techniques,” said researchers Phil Stokes and Dinesh Devadoss.
Zuru was first documented in September 2021 as part of a malicious campaign in which users of China’s Q&A website Zhihu hijacked the legitimate MacOS device app ITERM2, as well as instructing sites that forge sites that are cheating on users who don’t suspect users.

Then, in January 2024, JAMF Threat Labs said it had discovered some of the malware distributed via pirated MacOS apps that share similarities with Zuru. Other popular software troilered to deliver malware include Microsoft’s Remote Desktop for Mac, SecureCRT and NAVICAT.
The fact that Zuru primarily relies on sponsored web searches for distributions indicates that the threat actors behind the malware are more opportunistic than targeted in attacks.
Similar to the sample detailed by JAMF, the newly discovered Zuru artifact uses a modified version of the post-open source post-explosion toolkit known as Khepri to allow attackers to gain remote control of infected hosts.
“The malware is delivered via .DMG disk images and includes the Hacked version of the real Termius.App,” the researcher said. “Because the application bundle in the disk image has been changed, the attacker replaced the developer’s code signature with his own ad hoc signature in order to pass MacOS code signature rules.”

The modified app will be packed into two additional executables in Termius Helper.App. App, a loader named “Localized” is designed to download and launch Khepri command and control (C2) beacons from an external server (“Download.termius[.]info “)and” .termius helper1 ” is the renamed version of the actual Termius Helper app.
“The use of Kepri was seen in previous versions of Zuru, but this measure of troilizing legal applications is different from previous techniques of threat actors,” the researchers explained.
“In older versions of Zuru, the malware author modified the executable in the main bundle by adding an additional load command that references an external .dylib.
In addition to downloading Khepri beacons, the loader is designed to set up persistence on the host, checking if malware already exists in a predefined path in the system (“/TMP/.FSEVENTSD”).
If the hash values do not match, the new version will be downloaded later. This feature is likely to serve as an update mechanism for getting newer versions of the new version as malware becomes available. However, Sentinelone could be a way to ensure that the payload is not corrupted or altered after it has been removed.

The modified Khepri tool is a feature-packed C2 implant that allows for file transfer, system reconnaissance, process execution and control, and command execution through output capture. The C2 server used to communicate with the beacon is “CTL01.termius”.[.]fun. “
“The latest variant of Macos.zuru continues the pattern of threat actors that troilize legitimate MacOS applications used by developers and IT professionals,” the researchers said.
“The shift in techniques from dilib injection to troilering embedded helper applications could be an attempt to avoid certain types of detection logic. Still, it suggests that actors continue to use specific TTPs, providing success in continuous endpoint protection from target application and domain name selection, file name reuse, persistence and beacon methods.
Source link