macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

First noted by a Chinese blogger in July 2021, macOS.ZuRu is a backdoor that was initially delivered through poisoned web results on Baidu. Users searching for the popular Terminal emulator iTerm2 were redirected to a malicious site hosting a trojanized version of the app. Subsequent ZuRu variants used the same model, poisoning Baidu for other popular macOS utilities including SecureCRT, Navicat and Microsoft’s Remote Desktop for Mac. The selection of trojanized apps suggested the malware authors were targeting users of backend tools for SSH and other remote connections utilities.

In January 2024, researchers at JAMF discovered pirated macOS apps using similar technical indicators, but now leveraging the open-source Khepri C2 framework for post-infection operations. In late May 2025, a new sample trojanizing the cross-platform SSH client and server-management tool Termius came to light on social media.

This recent sample uses a new method to trojanize legitimate applications as well as a modified Khepri beacon. In this post, we provide a technical analysis of this latest version of the malware along with new technical indicators to aid detection engineers and threat hunters.

To read the complete article see: SentinelOne Article

🛡️ Stay informed and safe!