Do Son 
A newly uncovered variant of the notorious macOS.ZuRu malware is now using a trojanized version of Termius, a popular cross-platform SSH and server management tool, to infiltrate macOS systems. As SentinelOne’s research reveals, this campaign marks a significant technical evolution in the malware’s delivery and post-exploitation strategy, combining sophisticated persistence, stealth, and remote control capabilities through a customized Khepri command-and-control (C2) beacon.
ZuRu’s campaign first came to light in July 2021, when users searching for macOS apps like iTerm2 on Baidu were redirected to malicious versions. Since then, the malware has expanded its reach by trojanizing widely-used backend utilities like Navicat, SecureCRT, and Microsoft’s Remote Desktop for Mac.
“The selection of trojanized apps suggested the malware authors were targeting users of backend tools for SSH and other remote connections utilities,” SentinelOne noted.
Now, in May 2025, researchers have identified a malicious Termius disk image (.dmg), about 23MB larger than the genuine version, containing two additional executables—.localized and .Termius Helper1—which trigger the malware infection chain.
Unlike previous variants that injected malicious .dylib files into the app bundle, this version replaces Termius Helper.app with a modified binary. Upon execution, .localized is launched in the background to download and deploy a Khepri beacon from download.termius[.]info, storing it at /tmp/.fseventsd.
“The attackers have replaced the developer’s code signature with their own ad hoc signature in order to pass macOS code signing rules.”
The malware silently requests elevated privileges, installs a LaunchDaemon for persistence (com.apple.xssooxxagent), and ensures hourly execution using:
The implant also copies itself to /Users/Shared and uses deprecated macOS APIs for privilege escalation.
The second-stage payload—downloaded and verified using a custom XOR-add-sub decryption routine—is a modified Khepri C2 beacon. First seen in December 2024, this version is tailored for macOS Sonoma 14.1 and later, suggesting a focus on up-to-date systems.
SentinelOne describes Khepri as a “full-featured C2 implant with capabilities for file transfer, system reconnaissance, process control, and command execution.”
Notably, the beacon:
- Supports -s and -bd flags for stealth and background daemon mode.
- Communicates over port 53 (typically DNS).
- Uses www.baidu[.]com as a decoy domain, while actually reaching ctl01.termius[.]fun, resolving to an Alibaba Cloud IP.
The beacon’s heartbeat interval is set to 5 seconds, faster than the default 10 seconds in the open-source Khepri version.
The researchers highlight residual functions like _startBackgroundProcess() and _startLaunchDaemon() that mimic or duplicate existing functionality, possibly remnants from earlier iterations or reused source code.
“Artifacts in this binary potentially indicate that the malware source code could have been reused from earlier campaigns,” the report suggests.
Related Posts:
- Vulnerable Microsoft SQL Server are being targeted by hackers
- Cyberattackers Unleash LockBit Ransomware Using Cobalt Strike and Proxy Tools
- Attackers Leveraging Public Cobalt Strike Profiles to Evade Detection
- SentinelOne Unveils: The Hidden Dangers of npm in Business Security
- Cybersecurity Vendors Under Siege: A Deep Dive into Real-World Attacks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
