This latest iteration, discovered in late May 2025, represents a significant evolution in the threat actor’s tactics, moving beyond their traditional Baidu search engine poisoning campaigns to directly compromise legitimate applications used by developers and IT professionals. A sophisticated new variant of the macOS.ZuRu malware has emerged, targeting macOS users through a weaponized version of the popular Termius SSH client. The ZuRu malware family first surfaced in July 2021 when a Chinese blogger identified trojanized versions of popular macOS utilities being distributed through poisoned search results. The weaponized Termius application arrives as a disk image file measuring 248MB, noticeably larger than the legitimate 225MB version due to the embedded malicious binaries. The threat actors have abandoned their previous dynamic library injection technique in favor of a more sophisticated approach that embeds malicious components directly within the target application’s helper processes. Upon execution, this trojanized helper launches both the original application to maintain normal functionality and the malware loader .localized to initiate the infection chain. SentinelOne researchers identified this latest variant as part of their ongoing monitoring of macOS threats, noting significant technical improvements in the malware’s deployment methodology. The attackers have replaced the original developer signature with their own ad hoc signature to circumvent macOS code signing requirements, demonstrating their understanding of Apple’s security mechanisms. The malware employs a multi-stage infection process that begins with the modification of the legitimate Termius Helper.app component. Initially targeting applications like iTerm2, SecureCRT, and Microsoft Remote Desktop, the malware has consistently focused on tools commonly used by backend developers and system administrators who require SSH and remote connection capabilities. The original 248KB Termius Helper binary is renamed to .Termius Helper1, while a massive 25MB malicious replacement takes its place. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This evolution represents a concerning shift toward more direct application compromise, potentially bypassing traditional detection methods that focus on external library injection. The beacon maintains a rapid 5-second heartbeat with the command and control server at ctl01.termius[.]fun, using port 53 to blend with legitimate DNS traffic while employing [.]com as a decoy domain. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The malware’s continued success suggests that environments lacking robust endpoint protection remain vulnerable to these sophisticated social engineering attacks.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Jul 2025 21:45:16 +0000