A brand new SentinelOne report reveals new artifacts related to ZuRu, an Apple macOS malware. ZuRu sometimes spreads by way of trojanized variations of legit software program. In Might 2025, the malware was noticed mimicking a cross platform SSH consumer and server administration software referred to as Termius.
Initially documented in September 2021, ZuRu was concerned in a marketing campaign hijacking searches for iTerm2 (a macOS Terminal app). ZuRu predominantly depends on sponsored net searches to unfold, suggesting the malicious actors chargeable for this malware are opportunistic rather than targeted.
Under, safety leaders share insights on this malware in addition to threat mitigation methods.
Safety Leaders Weigh In
Ms. Nivedita Murthy, Senior Workers Marketing consultant at Black Duck:
MacOS customers needs to be cautious of the evolving ZuRu trojan, which is being embedded in legit software program. To guard themselves, customers ought to adhere to software program safety finest practices, resembling downloading purposes from trusted sources, such because the App or Play Retailer, maintaining software program up-to-date, and avoiding suspicious hyperlinks. Software program is a necessary driver of progress and innovation at each firm; due to this fact, IT departments ought to implement stricter controls on software program set up, together with limiting who can set up software program and from the place. When updating software program, a radical evaluate needs to be performed to make sure that it doesn’t introduce new, undocumented performance or compromise firm knowledge.
Heath Renfrow, Chief Data Safety Officer and Co-founder at Fenix24:
The core challenge isn’t a novel vulnerability in macOS — it’s social engineering. Organizations should double down on person training to bolster that every one software program, even widely-used free instruments, ought to solely be downloaded from verified developer web sites or trusted app shops. Avoiding sponsored hyperlinks in search outcomes is essential.
ZuRu makes use of a modified model of the Khepri post-exploitation framework, that means EDR instruments able to behavioral analytics (like CrowdStrike Falcon, SentinelOne, or eSentire) are important. This isn’t nearly detecting preliminary entry — it’s about visibility into privilege escalation, persistence, and lateral motion. Groups ought to proactively risk hunt for indicators of modified .app bundles and weird course of habits associated to Terminal utilities.
Mac admins ought to implement code signing insurance policies and use MDM options to limit the execution of unsigned or improperly signed apps. Whereas Apple’s Gatekeeper helps, in enterprise settings, extra granular controls are sometimes wanted to cease advert hoc-signed binaries from executing.
Organizations typically lack a examined IR playbook for macOS. This resurgence is a reminder to develop particular detection and response protocols for Apple endpoints — particularly as extra distant and hybrid staff depend on macOS instruments for SSH, RDP, and database entry.
Backside line:
ZuRu’s distribution methodology and tooling point out it’s much less about concentrating on particular organizations and extra about casting a large web over customers downloading administrative instruments. The “repair” is layered: safety controls, endpoint visibility, person self-discipline, and a plan for what to do when a Mac is compromised.
Eric Schwake, Director of Cybersecurity Technique at Salt Safety:
Though the macOS ZuRu malware is primarily a priority for endpoint and provide chain safety, its broader implications have an effect on a corporation’s total safety, particularly relating to APIs.
The danger lies in how compromised endpoints can immediately entry important methods and knowledge, a lot of which is managed and accessed by means of APIs. For instance, trojanized instruments resembling SSH purchasers or database utilities can be utilized to steal credentials or remotely management methods. Attackers can then exploit legit API entry to backend servers, cloud environments, and delicate databases, enabling them to execute unauthorized instructions, exfiltrate knowledge, or alter companies by way of APIs.
To defend towards these threats, organizations ought to undertake a multi-layered safety technique. This includes strict software program provide chain controls to forestall malicious purposes from getting into the surroundings, superior Endpoint Detection and Response (EDR) instruments to determine and quarantine malware resembling ZuRu, and powerful Identification and Entry Administration (IAM) to safeguard credentials. Crucially, strong API posture governance ensures APIs are designed with least privilege and configured adequately from the outset, complementing behavioral risk detection capabilities that actively monitor for suspicious API exercise originating from doubtlessly compromised endpoints. Such a complete strategy helps make sure that even when an endpoint is compromised, ongoing makes an attempt to misuse credentials or entry APIs are detected and blocked.
