Zuru malware slips into macOS using fake apps puts Apple developers at risk

Advanced threat campaign uses macOS trust models to deploy data-stealing payloads via trojanized developer tools..

The new normal for macOS malware

For years, macOS users have felt immune to the malware arms race. That’s no longer true. Security researchers at SentinelOne discovered a malicious malware variant, called Zuru, that is infecting macOS systems via modified applications. Unlike traditional malware, Zuru is spreading stealthily by using tools that are used by Apple developers and IT administrators, so this is a big increase in macOS-focused threats.

Zuru is not opportunistic; it’s sniperistic.

By using high-value software, Termius, iTerm2, Navicat, and Microsoft Remote Desktop are tools that target users with elevated system access. What’s most disturbing about this infection vector is that it’s targeting new macOS hardware—Apple Silicon (arm64) systems with macOS Sonoma 14.1 or later.

How Zuru infects

Zuru spreads through Trojanized apps via search engine poisoning. Cybercriminals buy ad placements, often on Chinese search engines like Baidu, to redirect users to fake download pages. There, seemingly legitimate apps are bundled with extra executables hidden deep within the application structure.

For example, the manipulated Termius SSH client has embedded binaries like .localized and .Termius Helper 1 is hidden inside the app’s helper components. These payloads are not injected through libraries, as in older Zuru versions. Instead, they sit preinstalled in the app bundle, so the malware can launch as soon as the app runs, without raising any alarms.

What happens after infection?

Once launched, Zuru installs itself persistently using LaunchDaemons and disguises the service under names like com.apple.xssooxxagent. From there, the malware fetches a customized Khepri C2 beacon from domains like download.termius[.]info, allowing attackers to

• Execute shell commands

• Transfer files

• Control processes

• Perform full system reconnaissance.

The malware operates through encrypted channels and even mimics legitimate DNS traffic to avoid detection. SentinelOne researchers confirmed the implant is tailored for macOS Sonoma, so it’s precise targeting.

Developers in the crosshairs

This is not a broad infection campaign. It’s about targeting people who have the keys to the enterprise. Developers and IT pros, especially those in DevOps or backend system roles, are Zuru’s primary targets. Their tools, access rights, and stored credentials are the backdoor into the corporate network.

Although SentinelOne has not seen Zuru linked to malicious Xcode projects, as in XcodeSpy, the implication is clear. Developer environments are the attack surface.

Detection and mitigation tips

Security teams and developers alike should treat Zuru as a wake-up call. Here is how to stay ahead.

✅ Before installing apps

• Only download apps from official vendor websites or the Mac App Store.

• Validate file sizes; for example, Termius should be around 225 MB, while malicious versions are larger.

• Check code signatures using codesign -dvvv.

🔍 After installation

• Scan for suspicious files in /Users/Shared and ~/Library/LaunchAgents.

• Use tools like LuLu, KnockKnock, or BlockBlock to detect outgoing C2 traffic or persistence agents.

• Monitor system logs for unexplained processes or network activity.

🧰 Additional tools

• fs_usage to detect file system changes

• networksetup to inspect proxy settings

• Log show to review XProtect activity.

SentinelOne’s Comments

“Don’t run build scripts without verifying,” says Phil Stokes, a threat researcher at SentinelOne. “Verify every single file, even when the project looks clean. And don’t forget to verify binary blobs and anything obscured by post-installation commands.” The company notes developers should check all build phases in the Xcode project structure, especially Run Scripts, and check any cloned repositories from GitHub on a regular basis.

Final thoughts

Zuru points out that macOS is no longer on the sidelines of the malware discussion. The malware authors in this campaign are not just after data; they are after infrastructure, workflows, and access. For Apple developers and other power users, the takeaway is simple: “trust but verify.” Your development toolchain could be the next avenue of infection you don’t realize until it’s too late.

More For You

SparkKitty Trojan upends mobile security as crypto theft surges in 2025

The dark side of enterprise AI

M&S malware attack explained step by step how the hackers broke everything

Next-gen phishing attacks powered by AI are fooling even experts