New Variant of ZuRu Malware Targets Developers through Compromised Termius for macOS
Published on July 10, 2025
In a concerning development for macOS users, cybersecurity experts have identified a new variant of the ZuRu malware. This malware is specifically targeting developers by masquerading as the widely-used SSH client and server management tool, Termius. According to a recent report from SentinelOne, the malware was first detected adopting this guise in late May 2025, suggesting a broadening of its attack vectors.
Phil Stokes and Dinesh Devadoss, researchers at SentinelOne, detailed how ZuRu continues to exploit the vulnerabilities of macOS users who seek legitimate software. By adapting its loader and command-and-control (C2) techniques, the malware effectively creates backdoors into its victims’ systems. This evolution in tactics highlights a dangerous trend where cybercriminals are increasingly relying on maliciously modified versions of trusted applications to infiltrate machines.
The origins of the ZuRu malware can be traced back to September 2021, when it was first reported by a user on Zhihu, a Chinese Q&A platform. At that time, it was associated with a campaign that hijacked searches for the legitimate macOS terminal application, iTerm2. Victims were directed to fraudulent websites that tricked them into downloading the malware, emphasizing the ongoing threat posed by social engineering tactics in cyber attacks.
Further complicating the scenario, Jamf Threat Labs reported in January 2024 that they had uncovered instances of malware delivered through pirated macOS applications. This method of distribution further underscores the importance of acquiring software from reputable sources, as the lure of free or pirated versions can lead to serious security vulnerabilities.
For businesses, understanding the potential underlying tactics employed in attacks like these is crucial. Referencing the MITRE ATT&CK framework, one can identify tactics such as initial access, where cybercriminals infiltrate a system through compromised software, and persistence, wherein the malware ensures ongoing access to the victim’s environment even after initial detection attempts. Techniques such as privilege escalation may also be employed, allowing attackers to gain higher-level access within a compromised system.
As threats like the ZuRu malware continue to evolve, it is imperative for business owners to remain vigilant. Implementing robust security measures, enhancing employee training on identifying suspicious software, and ensuring software is sourced from verified channels are essential steps in safeguarding sensitive data against these types of cyber threats.
As the cybersecurity landscape becomes increasingly fraught with risks, staying informed about such developments is essential for maintaining the integrity of business operations and protecting customer information.
