Weaponized Termius App Delivers Latest ZuRu Malware to macOS Users

A sophisticated variant of the macOS.ZuRu malware, first identified by a Chinese blogger in July 2021, has resurfaced with a new method of attack targeting macOS users through a trojanized version of the popular cross-platform SSH client Termius.

Initially spread via poisoned Baidu search results for tools like iTerm2, SecureCRT, and Microsoft Remote Desktop for Mac, ZuRu has consistently preyed on users of backend and remote connection utilities.

A New Chapter in macOS.ZuRu’s Evolution

The latest sample, discovered in late May 2025 through social media reports, showcases an evolved delivery mechanism and a modified Khepri C2 framework for post-infection control, marking a significant shift in the malware’s tactics while maintaining its focus on evading detection.

The malware is distributed through a .dmg disk image containing a hacked Termius.app, inflated from its legitimate size of 225MB to 248MB due to embedded malicious binaries.

Unlike prior ZuRu variants that relied on Dylib injection to modify the main executable, this version embeds two additional executables within the Termius Helper.app bundle.

The legitimate Termius Helper binary is renamed and replaced with a 25MB Mach-O file that launches both a malware loader named “.localized” and the renamed original helper to maintain normal app functionality.

The “.localized” loader retrieves a Khepri C2 beacon from download.termius[.]info, decrypts it using a hardcoded key “my_secret_key,” and installs it at /tmp/.fseventsd.

Technical Breakdown of the Trojanized Application

According to the Report, Persistence is achieved via a malicious LaunchDaemon plist labeled com.apple.xssooxxagent, written to /Library/LaunchDaemons/, ensuring hourly execution of the malware from /Users/Shared/.

The loader also implements an update mechanism by verifying the payload’s MD5 hash against a remote value, downloading newer versions if discrepancies are detected.

This latest decryption routine, while still using XOR combined with addition and subtraction, replaces the older single-byte key with a 13-byte string, adding a layer of obfuscation to thwart automated analysis.

The Khepri beacon, a customized version of the open-source C2 framework, is a universal Mach-O binary requiring macOS Sonoma 14.1 or later, and it communicates with its command-and-control server at ctl01.termius[.]fun (resolving to 47.238.28.21) over port 53, mimicking DNS traffic.

Its capabilities include file transfer, system reconnaissance, and command execution, making it a potent tool for attackers.

Despite evolving techniques, such as shifting from Dylib injection to helper app trojanization, the threat actors reuse familiar patterns in domain naming and persistence methods, indicating sustained success in environments lacking robust endpoint protection.

SentinelOne Singularity effectively detects and blocks this threat, while organizations without such defenses are urged to monitor for the indicators of compromise listed below.

Indicators of Compromise

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.