A backdoor vulnerability known as macOS.ZuRu, first spotted in July 2021, has undergone several subsequent variations since then, the most recent of which contains technical evolutions from previous versions. The threat was initially delivered via poisoned Baidu web results, redirecting targets to a trojanized version of the Terminal emulator iTerm2. Business users seeking legitimate tools are in the crosshairs of this attack, putting enterprise security at risk. Cybersecurity company SentinelOne has released findings on the most recent resurgence of ZuRu, notable because it uses a new method for trojanizing legitimate applications.
The Anatomy of ZuRu’s Latest Campaign
The recent return of ZuRu has leveraged trojanized applications, including cross-platform SSH client and server-management tool Termius, Microsoft Remote Desktop, SecureCRT, and Navicat. The infection vector is a .dmg disk image with a doctored app bundle that replaces the developer’s code signature and adds two executables to the embedded application. Research from SentinelOne and Jamf Threat Labs on the recent campaign analyzes the details of the attack, including a modified Khepri beacon, execution of system calls, and launching of unknown executables.
Tactics, Techniques, and Procedures (TTPs)
These attacks use hijacked search ads and sponsored web results to distribute malicious downloads. By compromising search results and downloads for legitimate tools, the attackers effectively gained the trust of their targets, enabling the distribution of the malicious payload. The .localized loader carries out checking and installation tasks in addition to establishing persistence via LaunchDaemon after requesting elevated privilege from the target.
The download of the modified Khepri command and control (C2) beacon is hidden in the background as the Termius Helper behaves as the user expects. The Khepri C2 framework enables post-exploitation operations, including file transfer, system reconnaissance, and process and command execution. The attackers also replace the legitimate developer’s code signature with an ad hoc signature to bypass Apple’s code signing safeguards.
Why macOS Users (and Businesses) Are at Risk
These attacks put both individuals and enterprises at risk, endangering critical endpoints. “Although the macOS ZuRu malware is primarily a concern for endpoint and supply chain security, its broader implications affect an organization’s overall security, especially regarding APIs,” says Eric Schwake, Director of Cybersecurity Strategy at Salt Security, a Palo Alto, Calif.-based provider of API security. “The risk lies in how compromised endpoints can directly access critical systems and data, much of which is managed and accessed through APIs.” Sideloaded and pirated software in enterprise environments poses a great risk to sensitive systems, accounts, and data.
Many attackers target IT and database management tools, which often contain the potential for lateral movement and privilege escalation, leading to deeper infiltration and breaches. While Apple’s security policies are built into macOS systems, it is important to remember that users and organizations cannot afford complacency. Relying on built-in security measures due to the illusion of security is a danger to individuals and businesses.
Defensive Measures and Industry Response
In order to protect against this type of deceptive attack hiding in what may seem like a legitimate download, it is crucial for organizations and users to be aware of the risks and take steps against them. “To protect themselves, users should adhere to software security best practices, such as downloading applications from trusted sources, such as the App or Play Store, keeping software up-to-date, and avoiding suspicious links,” according to Nivedita Murthy, Senior Staff Consultant at Black Duck, a Burlington, Massachusetts-based provider of application security solutions.
Users and IT teams are also encouraged to verify code signatures to ensure they are using official, unaltered versions of software. Apple’s security protocols have limitations, and attackers are always attempting to advance their tactics in an effort to evade known security measures. Security awareness and endpoint protection platforms are vital in protecting against security incidents.
The Evolving macOS Threat Landscape
The evolution of the macOS ZuRu malware is indicative of attackers’ efforts to develop more sophisticated techniques and launch more effective attacks. These attacks have broader implications for macOS malware in 2025 and beyond: it is crucial for organizations and individuals to develop effective strategies against threats and adapt security measures over time to maintain protection. This recent ZuRu development exemplifies a shift from targeted attacks to opportunistic campaigns in macOS threats. In an age of increasing abuse of the trust that users place in seemingly legitimate software, it is essential to stay vigilant against malicious tools.
