New ZuRu MacOS Malware Spreads Via Trojanized Business Apps

HomeNews* Researchers identified new activity from the ZuRu macOS Malware in late May 2025.

• ZuRu disguises itself as legitimate software, including the Termius SSH client, to infect Mac computers.
• The malware uses a modified open-source toolkit called Khepri for remote access and control.
• Attackers distribute ZuRu primarily through trojanized apps found via sponsored web searches.
• Recent changes show the malware now uses new methods to bypass security on macOS systems. Cybersecurity experts have detected fresh signs of ZuRu, a malware affecting Apple’s macOS, in May 2025. The malware spreads by imitating popular business and IT management applications, targeting users through altered installation files. ZuRu’s latest appearance involves mimicking the SSH client and server-management tool Termius.

• Advertisement - According to a report from SentinelOne, researchers observed ZuRu using a fake version of Termius. Attackers delivered the malware via a .dmg disk image, which included a tampered application bundle signed with the threat actor’s own code signature. This particular method allows ZuRu to bypass macOS code signing restrictions.

The report notes that ZuRu employs a modified version of Khepri, an open-source toolkit that lets attackers remotely control infected systems. The malware installs extra executables, including a loader designed to fetch commands from an external server. “ZuRu malware continues to prey on macOS users seeking legitimate business tools, adapting its loader and C2 techniques to backdoor its targets,” researchers Phil Stokes and Dinesh Devadoss stated.

First documented in September 2021, ZuRu was known to hijack searches related to popular Mac tools like iTerm2. It directed users to fake websites, leading them to download malware-infected files. In January 2024, Jamf Threat Labs connected ZuRu to pirated apps, including Microsoft’s Remote Desktop for Mac, SecureCRT, and Navicat, all distributed with hidden malware.

The recent variant changes how it hides within apps. Instead of modifying the main executable with a malicious add-on, attackers now embed the threat inside a helper application. This adjustment appears aimed at dodging traditional malware detection. The loader checks for the presence of existing malware, verifies its integrity, and downloads updates if a mismatch is found.

The Khepri tool’s features include file transfers, system monitoring, running programs, and capturing output, all controlled via a remote server. Researchers note that the attackers focus on trojanizing tools commonly used by developers and IT professionals. They also rely on techniques such as persistence modules and beaconing methods to maintain their hold on compromised systems. More information can be found in SentinelOne’s detailed analysis.

Previous Articles:

• Bitcoin Hits $111K: 4 Signs Retail Investors Are Returning
• SDX and Pictet Complete Pilot to Tokenize and Fractionalize Bonds
• Latvia Allows Companies to Use Cryptocurrency for Share Capital
• Australia Approves 24 Tokenized Asset Pilots With Major Banks
• Dogecoin Could Surge 177% to $0.50 By 2030, Analysts Predict

• Advertisement -