Malware

macOS.ZuRu

macOS.ZuRu is a macOS backdoor malware family distributed via poisoned Baidu search results and trojanized versions of legitimate applications used by developers and IT professionals. Recent SentinelOne reporting describes a re-emergent variant concealed in a trojanized Termius SSH client delivered as a malicious .dmg disk image. In this campaign, the fake Termius app included a modified Termius Helper component embedding a loader named .localized, which fetched a Khepri-based command-and-control beacon from download.termius[.]info and wrote it to /tmp/.fseventsd. The beacon was reported to communicate with ctl01.termius[.]fun. Compared with older ZuRu samples that relied on dylib injection, the newer variant embeds the loader directly in the application bundle. Reported capabilities include remote control, file transfer, system reconnaissance, process control, and command execution through the open-source Khepri toolkit. The malware also checks for existing installations, compares MD5 hashes, and updates itself if needed. Persistence was established via a malicious LaunchDaemon using the fake label com.apple.xssooxxagent, executing a copy of .localized every hour from /Users/Shared/com.apple.xssooxxagent. Supporting content also notes that macOS.ZuRu campaigns targeted Web3 and cryptocurrency-related platforms and were attributed to China.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 year ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

sentinelone blogNews

Jan 6, 2026

12 Months of Fighting Cybercrime & Defending Enterprises | The SentinelLABS 2025 Review

macOS.ZuRu is a macOS backdoor that uses a modified Khepri C2 framework, distributed via a trojanized Termius SSH client.

sentinelone blogNews

Jul 11, 2025

The Good, the Bad and the Ugly in Cybersecurity – Week 28

macOS.ZuRu is a backdoor malware targeting macOS systems, distributed via trojanized legitimate applications (such as Termius SSH client). It uses a modified Khepri C2 beacon for remote control, enabling attackers to transfer files, perform system reconnaissance, control processes, and execute commands. It features persistence mechanisms and self-update capabilities.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.