macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

SUMMARY :

A new variant of macOS.ZuRu malware has been discovered, targeting users through a trojanized version of the Termius app. This backdoor, initially noted in 2021, now uses a modified Khepri C2 framework for post-infection operations. The malware is delivered via a .dmg disk image containing a hacked version of Termius.app. It adds two executables to the embedded Termius Helper.app and uses a new method to trojanize legitimate applications. The malware installs persistence via a LaunchDaemon and includes an md5 updater mechanism. The payload obtained from the C2 is a modified Khepri beacon with capabilities for file transfer, system reconnaissance, and command execution. The threat actor continues to target developers and IT professionals, adapting their techniques to evade detection.

OPENCTI LABELS :

backdoor,macos,trojan,persistence,c2 beacon,khepri c2,khepri,termius,zuru,macos.zuru


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App