Hackers are bundling legitimate Mac tools with a ZuRu trojan, poisoning search results to advertise compromised packages and infecting unsuspecting users, SentinelOne warns.
In a recent campaign, the threat actor trojanized the Termius application bundle, a cross-platform secure shell (SSH) client and remote server-management tool.
An updated backdoor known as macOS.ZuRu malware resurfaced in the compromised packages. This trojan operates silently in the background after installation, establishes persistent access, and is capable of downloading harmful components and executing hackers’ commands remotely.
ZuRu backdoor was first detected in China in July 2021, delivered through Baidu search results. Since then, this trojan has been used to infect popular macOS utilities for developers, such as SecureCRT, Navicat, and Microsoft’s Remote Desktop for Mac.
Since last year, the pirated apps have started including the updated trojan with more advanced remote command and control capabilities.
Attackers bypass macOS code signing protections by replacing the developer’s original code signature with their own temporary signature.
“The latest variant of macOS.ZuRu continues the threat actor’s pattern of trojanizing legitimate macOS applications used by developers and IT professionals,” SentinelOne researchers warn in a report.
Security experts estimate that the hackers behind this campaign successfully compromise environments “lacking sufficient endpoint protection.”
Modified versions of Termius (SSH client) were uploaded to VirusTotal that contain a persistent downloader which fetches and decodes Khepri (an open-source post-exploitation tool).
undefined Ferdous Saljooki (@malwarezoo) May 23, 2025
/Applications/Termius.app/Contents/Frameworks/Termius Helper .app/Contents/MacOS/.localized
1/n pic.twitter.com/fSeR5NC1dk
The malware binaries are relatively large and usually come as two files included in the original app bundle.
“The malware is delivered via a .dmg disk image and contains a hacked version of the genuine Termius.app. The legitimate version of Termius comes on a disk image of around 225MB, whereas the trojanized version is somewhat larger at 248MB due to the malicious binaries that have been added,” the report explains.
Once executed, the malicious code launches both the malware loader and the legitimate app, ensuring that the victim doesn’t suspect the compromise.
The malicious executable targets the most recent Macs. It requires Sonoma 14.1, released in October 2023, or later.
Command and control capabilities include file transferring, system reconnaissance, process execution and control, and command execution with output capture, among others. Attackers use the open-source Khepri beacon for command and control.
In a recent campaign, hackers used termius[.]fun and [termius[.]info malicious domains.
Your email address will not be published. Required fields are markedmarked