Verticals Targeted: IT, software development
Regions Targeted: None specified
Related Families: None
Executive Summary
A new variant of the macOS.ZuRu malware, first identified in 2021, was discovered, leveraging a trojanized Termius application to deploy a modified Khepri C2 beacon, targeting developers and IT professionals. This sophisticated backdoor employs advanced techniques to evade detection and establish persistent remote access.
Key Takeaways
- ZuRu malware trojanizes the Termius SSH client, replacing legitimate binaries to deploy a Khepri C2 beacon.
- The malware uses a modified loader and ad hoc code signatures to bypass macOS security checks.
- Khepri beacon operates in skip or background daemon modes, communicating via a 5-second heartbeat to a C2 server.
What is macOS.ZuRu?
The macOS.ZuRu malware, a persistent threat since its discovery in 2021, has reemerged with a refined approach, targeting developers and IT professionals through a compromised version of the Termius SSH client. This latest variant, identified in late May 2025, showcases the threat actors’ evolving tactics, leveraging a trojanized application and a modified Khepri command-and-control (C2) beacon to establish covert remote access. SentinelOne recently reported on the new macOS.ZuRu variant.
ZuRu’s delivery mechanism hinges on a tampered Termius application distributed via a .dmg disk image. The legitimate Termius.app, typically 225MB, is inflated to 248MB in the malicious version due to the inclusion of two additional executables within the Termius Helper.app bundle. The legitimate Termius Helper binary is renamed .Termius Helper1, while a 25MB malicious Mach-O binary, dubbed Termius Helper, takes its place. This imposter binary launches both the legitimate .Termius Helper1, ensuring the application functions as expected, and a loader named .localized, which retrieves a Khepri C2 beacon and stores it at /tmp/.fseventsd.
The Khepri beacon, a cornerstone of this campaign, is a modified iteration of the open-source post-exploitation framework. Unlike earlier ZuRu variants that injected malicious .dylib libraries, this version trojanizes the helper application, likely to evade detection logic reliant on dynamic library monitoring. The beacon operates in dual modes—skip or background daemon—with a 5-second heartbeat interval, faster than the default 10 seconds, and communicates over port 53 to the C2. This C2 server follows a naming convention consistent with prior ZuRu infrastructure, such as ctl01.macnavicat[.]com. The beacon uses www.baidu[.]com as a decoy domain, masking its true intentions.
The trojanized application bypasses macOS Gatekeeper by replacing the developer’s code signature with an ad hoc signature, a tactic that exploits trust in signed applications. The loader, .localized, verifies payload integrity via MD5 hash checks, downloading updated versions if discrepancies are detected. This update mechanism enhances the malware’s resilience, ensuring persistence and adaptability. The Khepri framework enables a suite of capabilities, including file transfers, system reconnaissance, process execution, and command execution with output capture, posing significant risks to infected systems.
ZuRu’s targeting strategy focuses on users of backend tools like Termius, SecureCRT, and Navicat, suggesting an intent to compromise IT and development environments. The malware’s reliance on pirated or poisoned application downloads underscores the need for rigorous software vetting. PolySwarm analysts consider macOS.ZuRu to be an evolving threat.
IOCs
PolySwarm has multiple samples of macOS.ZuRu.
8ac593fbe69ae93de505003eff446424d4fd165cda6f85c8c27e8e1cb352b06e
42605f1d22f8d38f0be494f36d377bf71592ae54583e6e78641a63ec3021cbeb
You can use the following CLI command to search for all macOS.ZuRu samples in our portal:
$ polyswarm link list -f macOS.ZuRu
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
