A new wave of macOS infections has been linked to ZuRu, a well-known malware strain that spreads through counterfeit versions of legitimate applications. Cybersecurity firm SentinelOne has revealed in a report that ZuRu was recently spotted impersonating Termius, a popular SSH client and server management tool, in May 2025.
“ZuRu malware continues to prey on macOS users seeking legitimate business tools, adapting its loader and C2 techniques to backdoor its targets,” said SentinelOne researchers Phil Stokes and Dinesh Devadoss.
ZuRu first emerged in September 2021, when it was discovered hijacking search results for iTerm2, a genuine macOS Terminal app, redirecting users to deceptive websites hosting the malware. Over time, it has also been distributed through pirated versions of widely-used tools such as Microsoft Remote Desktop for Mac, SecureCRT, and Navicat.
A January 2024 analysis by Jamf Threat Labs confirmed that these trojanized applications bore similarities to ZuRu, illustrating a consistent pattern of exploiting developer and IT professional tools. The attackers rely heavily on sponsored web search ads to lure unsuspecting users—an opportunistic approach that ensures their targets are those already seeking tools for remote connectivity or database access.
The latest variant discovered by SentinelOne comes packaged in a .dmg disk image containing a tampered version of the Termius app.
“The malware is delivered via a .dmg disk image and contains a hacked version of the genuine Termius.app,” the researchers noted. “Since the application bundle inside the disk image has been modified, the attackers have replaced the developer’s code signature with their own ad hoc signature in order to pass macOS code signing rules.”
The compromised app includes two hidden executables: one named “.localized,” which acts as a loader to retrieve the Khepri command-and-control (C2) beacon, and another, “.Termius Helper1,” which is simply a renamed helper component of the real app. Khepri, an open-source post-exploitation toolkit, allows threat actors to execute commands, upload files, and control infected systems remotely.
This version of ZuRu marks a shift in delivery tactics. Instead of modifying the main app’s dynamic libraries as in earlier versions, the attackers now trojanize embedded helper apps to evade detection.
The loader not only installs the malware but also checks if a version already exists on the system and verifies its integrity using MD5 hashes. If an update is needed, it fetches the latest payload from a remote server.
“The latest variant of macOS.ZuRu continues the threat actor’s pattern of trojanizing legitimate macOS applications used by developers and IT professionals,” the report concluded.
Despite technical adjustments, the attackers’ core tactics—such as application selection, domain patterns, and persistent mechanisms—remain largely unchanged, suggesting continued success in systems with weak endpoint protection.
