Popular macOS Developer Tools Compromised in Targeted Trojan Campaign
Hackers are now using a stealthy approach to compromise macOS users, especially targeting developers and IT professionals. SentinelOne researchers have discovered that the threat actors are bundling legitimate Mac applications with a dangerous trojan called ZuRu and distributing these modified packages through poisoned search results.
The recent campaign centers on a tampered version of Termius, a widely used secure shell (SSH) client for remote server management. Users downloading what appears to be the genuine Termius app instead receive a disk image containing both the legitimate application and the macOS.ZuRu backdoor.
This malicious bundle operates silently. Once installed, it opens the real app to avoid suspicion while launching the malware in the background. The trojan provides attackers with persistent access, allowing them to download and execute additional payloads, exfiltrate data, and control the compromised machine remotely.
How Hackers Bypass Apple’s Security and Maintain Access
To evade macOS’s built-in protections, the attackers alter the original code signature and re-sign the application with their own temporary credentials. This enables the system to trust and execute the tampered bundle without raising immediate red flags.
According to SentinelOne’s analysis, the modified Termius app weighs about 248MB—slightly larger than the original 225MB version—due to the added malicious binaries.
The ZuRu backdoor specifically targets newer Macs and requires macOS Sonoma 14.1 or later. Once deployed, it establishes command and control (C2) capabilities through the open-source Khepri beacon, supporting a range of remote functions such as:
- File upload/download
- Process execution and control
- System reconnaissance
- Command execution with output retrieval
This level of access allows attackers to quietly monitor and manipulate infected systems without immediate detection.
Campaign Origins and Long-Term Use of ZuRu
The ZuRu malware is not new. It first emerged in China in July 2021, where it was distributed through malicious Baidu search results. Over time, threat actors have continuously updated the malware and embedded it into pirated versions of legitimate tools like SecureCRT, Navicat, and Microsoft Remote Desktop for macOS.
In this recent wave, researchers found hackers using domains like termius[.]fun and termius[.]info to host and distribute the compromised apps. SentinelOne’s findings suggest the malware is most effective against environments lacking sufficient endpoint protection—a reminder that even enterprise developers remain vulnerable to trojanized software if basic defense measures are absent.
Enterprise Developers Urged to Monitor Download Sources
While the malicious Termius version functions identically to the official app, it silently sets up persistent access for future attacks. Security researchers stress that this campaign is another example of how trusted applications can become threat vectors.
“The latest variant of macOS.ZuRu continues the threat actor’s pattern of trojanizing legitimate macOS applications used by developers and IT professionals,” SentinelOne stated.
For organizations relying on developer tools distributed via third-party channels or search engine ads, this is a serious red flag. Ensuring apps are only downloaded from verified sources and monitoring for unusual network activity are critical first steps in blocking similar threats.
