A recently uncovered macOS malware dubbed ZuRu is raising alarms among cybersecurity experts, as it circulates through legitimate software disguised as trusted applications. Discovered by SentinelOne, the malware takes the form of a tampered version of the popular SSH client and server-management tool, Termius, reportedly first appearing in late May 2025. As noted by researchers Phil Stokes and Dinesh Devadoss, the ZuRu malware has demonstrated an ability to evolve, employing sophisticated techniques to gain access to compromised machines.
This malware was initially spotted in September 2021, when it hijacked searches related to the macOS Terminal application iTerm2. Users searching for the legitimate software were misled into downloading a malicious version, a tactic highlighted in a discussion on the Chinese site Zhihu. The continued evolution of ZuRu suggests an opportunistic approach by its creators, who are preying on macOS users in search of essential business tools.
In January 2024, a similar strain of malware was identified by Jamf Threat Labs, which highlighted its distribution through pirated macOS applications. Popular software applications, including Microsoft’s Remote Desktop and SecureCRT, have also been targets for the ZuRu malware, which mainly preys on users seeking remote connection solutions. This coincides with a broader trend illustrating a shift towards opportunistic attack vectors.
ZuRu’s latest iterations include a modified version of the open-source post-exploitation toolkit Khepri, further enhancing the malware’s capabilities. SentinelOne reported that the malware’s infection method includes the use of a modified Termius application bundled within a .dmg disk image, resulting in a revamped code signature policy to evade detection. The modification process includes adding loaders and C2 beacons that communicate with external servers, enabling attackers to maintain control over infected hosts.
As this malware remains a serious threat to macOS users, experts emphasize the importance of vigilance and awareness regarding software downloads. Continued research into this malware indicates a worrying trend as threat actors explore new ways to exploit vulnerabilities in pursuit of malicious objectives.