ZuRu Malware Hijacks Termius App to Target macOS Users

A newly discovered variant of the ZuRu malware hijacks Termius, a popular SSH client, to target macOS users with advanced infection tactics. Security researchers uncovered the campaign in late May 2025, marking a significant shift in the malware’s delivery method. Instead of poisoning search results, attackers now bundle malicious code within legitimate applications used by IT professionals.

This latest version of ZuRu malware hijacks Termius by embedding harmful binaries into the app’s helper processes. The altered disk image, sized at 248MB, exceeds the original by 23MB and carries an ad hoc developer signature to bypass macOS security checks. SentinelOne researchers noted that the malware launches both the genuine app and a loader component, enabling stealthy operation.

A persistent LaunchDaemon ensures continued access, while the malware communicates with its command server via DNS traffic. This method increases the likelihood of evading traditional detection tools.

Read the full article at

New ZuRu Malware Variant Attacking macOS Users Via Weaponized Termius App