ZuRu malware targeting macOS via Termius SSH client

A new variant of the macOS. ZuRu malware has been discovered, utilizing a compromised version of the Termius SSH client to covertly turn developer workstations into remote access points. This malware, first identified in late May 2025, disguises itself within a rogue installer, embedding malicious binaries that enable persistent control over affected systems.

ZuRu malware targeting macOS via Termius SSH clientZuRu malware targeting macOS via Termius SSH client

This malware, first identified in late May 2025, disguises itself within a rogue installer, embedding malicious binaries that enable persistent control over affected systems.

The malware employs a modified Khepri command-and-control beacon, which communicates every five seconds, allowing attackers to execute commands and transfer files. By altering the developer signature, it bypasses macOS security measures, posing significant risks to IT professionals and software engineers who use third-party terminals.

ZuRu malware targeting macOS via Termius SSH clientZuRu malware targeting macOS via Termius SSH client

This variant highlights the dangers of using pirated or tampered applications, as it can maintain access even after system reboots.