ZuRu Malware: New Wave of Attacks Targets macOS Users via Fake Apps
Experts at SentinelOne have reported the discovery of new traces of activity linked to the ZuRu malware, which specifically targets macOS users. Its primary method of distribution is the impersonation of popular macOS applications—most notably, disguising itself as Termius, a cross-platform SSH management tool.
References to the ZuRu malware first surfaced in September 2021 on the Chinese platform Zhihu. At the time, it was being propagated via counterfeit websites that manipulated search results for the legitimate iTerm2 terminal application, offering users tampered installers instead. In January 2024, researchers at Jamf Threat Labs observed the malware’s continued evolution, noting that it had begun infiltrating systems through pirated versions of Microsoft Remote Desktop, SecureCRT, and Navicat.
According to SentinelOne’s latest report, a new wave of attacks was detected in May 2025. The malware was distributed via a modified .dmg disk image containing a fraudulent version of Termius. Notably, the bundled Termius Helper.app housed two executable files: “.localized” and “.Termius Helper1.” The first acts as a loader, designed to fetch and launch the Khepri command beacon from a remote server, while the second is a tampered version of the legitimate Termius helper component.
To bypass macOS system protections, the attackers stripped the application of its original developer signature and replaced it with a temporary self-signed certificate, enabling it to pass code authenticity checks. This latest approach differs from previous techniques: whereas older variants employed the injection of external dynamic libraries (.dylib) into the main executable, the current version embeds the malware through an auxiliary application bundled within the legitimate software package.
The loader also incorporates a persistence mechanism. It checks for the presence of malicious code at the path “/tmp/.fseventsd” and compares the file’s hash against a reference stored on the command server. If discrepancies are found, an updated version is downloaded and deployed automatically—ensuring both code integrity and continued operation of the malware.
Khepri, the core component of the malicious payload, is a powerful remote access tool. It enables attackers to transmit and receive files, survey system specifications, execute arbitrary processes, and record their outcomes. Communication with the command server is established through the domain “ctl01.termius\[.]fun,” while the initial download of the beacon is served from “download.termius\[.]info.”
The SentinelOne team emphasizes that the tactic of leveraging legitimate, developer-favored applications as a disguise remains a hallmark of ZuRu’s operators. Despite evolving techniques for payload injection and protection evasion, consistent patterns persist—ranging from domain name templates to distinctive file names and persistence mechanisms. This consistency underscores the potency of such attacks, especially in environments lacking robust endpoint protection.
