ZuRu Mac Malware
Cybersecurity researchers have uncovered new evidence linking the notorious macOS malware ZuRu to fresh attack campaigns. Known for infiltrating systems through Trojanized software, ZuRu continues to evolve, leveraging updated techniques and tools to compromise unsuspecting users.
Table of Contents
Masquerading as Trustworthy Tools
In late May 2025, ZuRu was seen impersonating Termius, a cross-platform SSH client and server management tool. This marks the latest move in a series of malicious campaigns where ZuRu poses as legitimate macOS applications to infect developer and IT environments. Since its first known appearance in September 2021, when it hijacked iTerm2 search results on Chinese Q&A platform Zhihu, the malware has consistently targeted users seeking remote access and database management solutions.
The tactic relies heavily on sponsored search results, allowing the threat actors to opportunistically reach individuals already searching for such tools. This approach increases the likelihood of a successful infection while avoiding broader detection.
From Pirated Software to Poisoned Disk Images
By January 2024, ZuRu had also been spotted hiding in pirated versions of popular macOS software such as Microsoft's Remote Desktop, SecureCRT, and Navicat. Now, researchers have linked it to a corrupted .dmg disk image containing a tampered copy of Termius.app.
This altered application bundle replaces the original developer's code signature with an ad hoc signature to bypass macOS code signing protections. Embedded within it are two key components:
- .localized: A malicious loader that fetches and launches a Khepri C2 beacon from download.termius.info.
- .Termius Helper1: A rebranded version of the legitimate Termius Helper app, used to mask the malicious behavior.
These executables are hidden inside Termius Helper.app, and their integration represents a change from ZuRu's older method of injecting .dylib files directly into application bundles.
Persistence and Update Mechanisms
The .localized loader isn't just used for fetching payloads, it also checks for existing installations by verifying if the malware is present at /tmp/.fseventsd. It compares the MD5 hash of the current payload against the one hosted remotely, downloading a new version if there's a mismatch. This self-check and update function likely ensures both the integrity and currency of the malicious code.
Weaponizing Khepri: A Post-Exploitation Swiss Army Knife
At the core of this attack is a modified version of Khepri, an open-source post-exploitation toolkit. The adapted tool grants attackers broad control over compromised macOS hosts, including:
- File transfers
- System reconnaissance
- Execution and management of system processes
- Command execution with real-time output retrieval
Communication is maintained through the C2 server ctl01.termius.fun, enabling continuous control over the infected machines.
Evolution of Attack Techniques
ZuRu's progression from .dylib injection to trojanizing embedded helper apps appears to be a deliberate shift aimed at bypassing more advanced detection methods. Despite this change, the threat actor continues to rely on familiar indicators:
- Reuse of domain names and file names
- Consistent targeting of remote access and database tools
- Known persistence and beaconing techniques
These indicators reflect a proven playbook, one that remains effective in systems lacking strong endpoint security.
Conclusion: An Ongoing Threat for the macOS Ecosystem
The latest ZuRu variant reinforces a concerning trend: sophisticated macOS threats targeting developers and IT professionals. By exploiting trust in popular tools and adapting delivery methods, this malware continues to bypass defenses in inadequately protected environments.
Organizations and individuals should remain vigilant, prioritize the use of verified software sources, and implement layered security to detect and neutralize threats like ZuRu.
