Ethical Hacking News
A new malware variant known as ZuRu has been identified by cybersecurity researchers, targeting Apple's macOS operating system via trojanized versions of legitimate software applications, including Termius. This growing concern demands attention from developers, IT professionals, and end-users to maintain robust endpoint protection measures and prevent potential security breaches.
The new malware variant ZuRu is spreading through trojanized versions of legitimate software applications. The malware masquerades as the cross-platform SSH client and server-management tool Termius. The malware uses a modified version of the open-source post-exploitation toolkit Khepri to gain remote control of infected hosts. The malware contains hacked versions of genuine Termius.app executables with altered application bundles. The threat actors behind ZuRu are opportunistic in their attacks, relying on sponsored web searches to distribute the malware.
Apple's macOS operating system has been targeted by a new malware variant known as ZuRu, which is spreading through trojanized versions of legitimate software applications. According to cybersecurity researchers at SentinelOne, the malware has been found masquerading as the cross-platform SSH client and server-management tool Termius in late May 2025.
The researchers identified several key characteristics that distinguish this new variant from previous versions of ZuRu. Firstly, the malware appears to be using a modified version of the open-source post-exploitation toolkit known as Khepri to enable attackers to gain remote control of infected hosts. This tool is commonly used by threat actors to maintain persistence and launch further attacks.
Furthermore, the researchers discovered that the malware contains a hacked version of the genuine Termius.app, with an altered application bundle inside the disk image containing two extra executables: a loader named ".localized" designed to download and launch a Khepri command-and-control (C2) beacon from an external server, and another executable named ".Termius Helper1," which is actually a renamed version of the actual Termius Helper app.
It's essential to note that this new variant has introduced changes in its tactics, technique, and procedures (TTPs), shifting from Dylib injection to trojanizing an embedded helper application. This shift is likely intended to circumvent detection logic used by security software, yet it also suggests continued reliance on certain TTPs.
Researchers at SentinelOne stated that the threat actors behind this malware campaign are more opportunistic than targeted in their attacks, relying heavily on sponsored web searches to distribute the malware and ensuring only those looking for remote connections and database management are compromised. This highlights the importance of maintaining robust endpoint protection measures to safeguard against such threats.
The fact that ZuRu has primarily relied on sponsored web searches indicates a lack of sophistication from threat actors seeking to maximize their reach. However, this opportunistic approach also underscores the necessity for developers, IT professionals, and end-users to remain vigilant in their online activities and adhere to best practices for securing software updates and downloads.
Related Information:
https://www.ethicalhackingnews.com/articles/New-ZuRu-Malware-Variant-Targets-Developers-via-Trojanized-Termius-macOS-App-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://thehackernews.com/2025/07/new-macos-malware-zuru-targeting.html
Published: Thu Jul 10 07:10:37 2025 by llama3.2 3B Q4_K_M
