On 10 July 2025, cybersecurity researchers uncovered a renewed campaign of the macOS.ZuRu backdoor, this time embedded within a doctored version of the popular SSH client Termius. The malicious app quietly installs a modified Khepri command-and-control (C2) implant, enabling persistent remote access on macOS systems raising fresh concerns for IT teams, particularly in the MEA region where macOS adoption continues to rise.
First flagged in July 2021, macOS.ZuRu trojanized macOS apps by hijacking Baidu’s search results. In January 2024, researchers at Jamf revealed variants embedding the open-source Khepri C2.
In May 2025, a fresh campaign emerged targeting Termius.app, a cross-platform SSH tool popular among developers and administrators .
Technical Analysis: How It Works
Delivery Method
The threat is delivered as a malicious .dmg installer. The authentic Termius application is repackaged (from ~225 MB to ~248 MB) and re-signed to bypass macOS signature validation.
Trojan Components & Persistence
Two extra executables are embedded:
- A massive 25 MB Mach-O loader (named
.localized) injects the Khepri beacon. - A renamed helper,
.Termius Helper1, ensures legitimate app functions.
Upon launch, .localized fetches a Khepri beacon from download.termius[.]info, drops it into /tmp/.fseventsd, and requests elevated privileges from the user. A LaunchDaemon plist (com.apple.xssooxxagent) is then installed in /Library/LaunchDaemons/ to maintain hourly persistence.
Reverse-Engineered Loader Logic
- Instance locking via
/tmp/apple-local-ipc.sock.lock. - Payload integrity check: Modulo-based MD5 hash comparison and download if mismatched.
- Modified decryption routine: Uses key
"my_secret_key"for XOR-based decoding—added obfuscation beyond simple XOR encryption .
Khepri C2 Capabilities
The embedded beacon is a Khepri-based C2 implant (~174 KB Mach-O), requiring macOS Sonoma 14.1+ and capable of reconnaissance, file transfer, remote shell, and command execution (intel.dev.threatlabs.protect.jamfcloud.com).
The beacon communicates with ctl01.termius[.]fun over DNS port 53, masking itself as legitimate traffic via www.baidu.com requests mirroring ZuRu’s previous domain setup.
Regional and Global Implications
MEA Region Risk
macOS is gaining ground in MEA, especially within tech hubs in UAE, Saudi Arabia, and South Africa. As Termius becomes increasingly popular among cloud engineers and pentesters, users in these regions are now at greater risk. The lack of regional malware protection tools exacerbates this threat.
Global Context
This campaign illustrates a shift in macOS malware tactics—trojanizing legitimate tools running on endpoints, compared to previous methods like dynamic library injection. Enterprises operating across continents must reassess their macOS endpoint protection as these threats spread globally.
Expert Quotes
“Attackers target legitimate tools to blend in with developer workflows—making detection far more challenging,” says Jaron Bradley of Jamf Threat Labs (Dark Reading).
SentinelOne reports that its Singularity platform successfully “detects and blocks macOS.ZuRu’s persistence and execution” when protection is enabled (Webasha).
MITRE ATT&CK Mapping
| Phase | Technique | ID |
|---|---|---|
| Initial Access | External Remote Services (Trojanized installer) | T1190 |
| Persistence | Launch Daemon | T1543.003 |
| Defense Evasion | Masquerading via Domain Impersonation | T1036 |
| Payload Delivery | Download Remote File | T1105 |
| C2 | Standard Application Layer Protocol (DNS over port 53) | T1071.004 |
| Execution | Command Execution | T1059 |
Actionable Recommendations
- Avoid unofficial macOS tools: install apps from verified sources only
- Enforce code-signing policies: block ad-hoc signed bundles at gatekeepers
- Deploy XDR/EDR solutions, e.g., SentinelOne, for macOS protection (Webasha)
- Monitor LaunchDaemons: alert on unknown plist entries
- Block DNS anomalies: use DNS filters to flag suspicious outbound requests
- Enable least privilege UAC: reduce risk of elevation via prompts
- Run regular endpoint scans: search for
.fseventsd,.localized, and suspicious binaries - Harden developer workstations: segregate dev/admin environments
- Train staff on threats from malicious installers and ad-hoc signing
- Share MITRE mapping and indicators with local CERTs and MEA partners
Conclusion
The return of macOS.ZuRu through a compromised Termius installer marks a worrying evolution in macOS threats-leveraging legitimate developer tools to stealthily implant a powerful Khepri beacon. Regional organizations must ramp up endpoint protections, implement stricter installation policies, and update detection strategies to guard against these emerging macOS security services threats.
References
- Jamf Threat Labs analysis on poisoned macOS apps (jamf.com)
- Dark Reading report on Khepri-based macOS malware (Dark Reading)
- SentinelOne macOS protection and detection data (Poespas Media)
- GitHub Khepri C2 repository (GitHub)
Enhance your security awareness with more news, updates, alerts, best practices, and trends at CyberCory.
Strengthen your cybersecurity, training, and pentesting capabilities with SaintyNet services.
