You Wanted Secure SSH—You Got a Backdoor. Check Termius: Chinese Hackers Replaced the Original on macOS
Thought digital signatures protected you? Think again.
Researchers from SentinelOne have uncovered new traces of the ZuRu malware targeting macOS users. Its primary distribution method? Spoofing popular macOS apps—this time, by impersonating Termius, a cross-platform SSH client.
ZuRu’s Evolution: From Fake iTerm2 to Termius
- September 2021: First spotted on Chinese forum Zhihu, spreading via fake iTerm2 installers.
- January 2024: Jamf Threat Labs found it masquerading as cracked versions of Microsoft Remote Desktop, SecureCRT, and Navicat.
- May 2025: New wave detected—hackers distributed a modified Termius.dmg with a backdoored helper app.
How the Attack Works
The fake Termius.app bundle contained two malicious executables:- .localized – A downloader fetching Khepri (a remote access beacon).
- .Termius Helper1 – A trojanized version of Termius’s helper tool.
Bypassing macOS Security
- The attackers removed the original developer signature and replaced it with a temporary self-signed one, tricking Gatekeeper.
- Unlike previous attacks (which relied on .dylib injection), this version embeds malware inside a legitimate app’s helper tool.
Persistence Mechanism
- Checks for malware presence at /tmp/.fseventsd.
- Compares file hashes with a remote server—if mismatched, it auto-downloads an updated payload.
Khepri: A Powerful RAT (Remote Access Trojan)
- Exfiltrates files, scans system specs, executes arbitrary commands.
- C2 Server: ctl01.termius[.]fun
- Payload Host: download.termius[.]info
Why This Matters
- Developers & IT pros are prime targets—ZuRu consistently abuses trusted tools (iTerm2, Termius, Remote Desktop).
- Digital signatures aren’t foolproof—attackers can strip and replace them.
- Persistence via helper apps makes detection harder.
How to Protect Yourself
Download apps only from official sources (Termius’s website, App Store). Verify checksums & signatures before installation. Use endpoint protection (SentinelOne, Jamf, etc.) to detect tampered apps. Monitor network traffic for suspicious domains (e.g., *.termius[.]fun).The Bigger Picture
This isn’t just about Termius—ZuRu’s tactics show how easily trusted software can be weaponized. As macOS gains market share, expect more sophisticated supply-chain attacks.Lesson learned? Even "secure" apps can be backdoored. Stay paranoid.
TL;DR:
Chinese hackers are spoofing Termius on macOS with a backdoored version that installs the Khepri RAT. They bypass Apple’s checks by replacing the dev signature and hiding malware in helper tools. Verify your downloads!
Would you like a deeper dive into how Khepri operates or ways to detect similar attacks?
