Malicious Versions of the Termius app are Spreading macOS Malware

A modified version of the Termius app is being used to distribute a new variant of the ZuRu malware targeting macOS users. The Terminus app is a commonly used SSH client that is used by developers, DevOps and IT professionals to connect via Secure Shell, or more commonly known as SSH, to remote computer systems. The trojanized version of the Termius application can provide attackers with full remote access to infected machines.

The ZuRu malware is not a new threat. It was first noted by a Chinese blogger in July 2021 when poisoned web results on Baidu, the equivalent of google inside China, where being seen. In this case, users searching for the popular Terminal emulator iTerm2 were redirected to a malicious site hosting a trojanized version of the actual app. Subsequent ZuRu variants used the same model, once again poisoning Baidu for other popular macOS utilities including SecureCRT, Navicat and Microsoft’s Remote Desktop for Mac. The selection of trojanized apps suggested the malware authors were targeting users of backend tools for SSH and other remote connections utilities.

More recently in 2024, researchers at JAMF discovered pirated macOS apps using similar technical indicators, but now leveraging the open-source Khepri C2 framework. The Khepri C2 frameworks is an open-source, cross-platform command and control framework that provides the tools and capabilities for attackers to establish control over compromised systems.

The latest variant of ZuRu

Now in late May 2025, a new sample trojanizing the cross‑platform SSH client and server‑management tool Termius came to light. The malware is delivered via a .dmg disk image and contains a hacked version of the genuine Termius.app. The legitimate version of Termius comes on a disk image of around 225MB, whereas the trojanized version is somewhat larger at 248MB due to the malicious binaries that have been added.

Since the application bundle inside the disk image has been modified, the attackers have replaced the developer’s code signature with their own ad hoc signature in order to pass macOS code signing rules.

Despite Apple saying that macOS is designed with powerful, advanced technologies that work together to keep your Mac and built-in apps more private and more secure it is HIGHLY recommended to have modern antivirus software such as EDPR or XDR installed and monitored on all MacOS systems.

Dangers to the Enterprise

Since these trojanized applications include command and control features, it is possible that the remote systems that are being connected to can become vulnerable during sessions. It is also possible that usernames, passwords, and even SSH keys will be stollen as well. This can lead to further system compromises.

Key points

• Be cautious about download sources: Only download software, including Termius, from official and trusted sources to avoid trojanized versions.

• Verify file sizes: Be wary of Termius installations that are significantly larger than expected. The legitimate Termius app is approximately 225MB, while the malicious version is around 248MB.

• Use strong endpoint protection: Employ robust antivirus and anti-malware solutions on your macOS systems to detect and prevent such infections. EDPR and XDR that is managed by a security operations center is a must.

• Always use multifactor authentication. If possible, use managed SSO with MFA that is managed centrally.

Conclusion

The latest variant of macOS.ZuRu continues the threat actor’s pattern of trojanizing legitimate macOS applications used by developers and IT professionals. The shift in technique from Dylib injection to trojanizing an embedded helper application is likely an attempt to circumvent certain kinds of detection logic. More importantly, the threat actor’s continued use of certain Tactics, Techniques, and Procedure is indicating that their campaigns are very successfully. They continue to target commonly used applications for high value targets – systems administrators, DevOps, and IT professionals. Also, they are continuing to use the same domain name patterns and are continuing to the reuse file names, persistence and beaconing methods. This indicates that the target environments lack sufficient endpoint protection and and may possibly have poor overall security methods and procedures in general.