macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

July 13, 2025, 10:47 a.m.

Description

A new variant of macOS.ZuRu malware has been discovered, targeting users through a trojanized version of the Termius app. This backdoor, initially noted in 2021, now uses a modified Khepri C2 framework for post-infection operations. The malware is delivered via a .dmg disk image containing a hacked version of Termius.app. It adds two executables to the embedded Termius Helper.app and uses a new method to trojanize legitimate applications. The malware installs persistence via a LaunchDaemon and includes an md5 updater mechanism. The payload obtained from the C2 is a modified Khepri beacon with capabilities for file transfer, system reconnaissance, and command execution. The threat actor continues to target developers and IT professionals, adapting their techniques to evade detection.

External References

https://www.sentinelone.com/blog/macos-zuru-resurfaces-modified-khepri-c2-hides-inside-doctored-termius-app
https://otx.alienvault.com/pulse/686ffe0e4f96bdedcb713829
Tags
backdoor
persistence
macos
trojan
2025-07-10
khepri
zuru
c2 beacon
khepri c2
termius
macos.zuru

Date

  • Created: July 10, 2025, 5:53 p.m.
  • Published: July 10, 2025, 5:53 p.m.
  • Modified: July 13, 2025, 10:47 a.m.

Indicators

  • download.termius.info
  • ctl01.termius.fun
  • download.finalshell.cc
  • ctl01.macnavicat.com
Download all indicators here!

Attack Patterns