Hackers target Apple’s Mac users with new malware hidden in popular apps
Cybercriminals embedded malicious code and remote-control tools in software used for server management and secure connections.
An Apple store in Manhattan Beach, Calif., on March 25, 2025. John Fredricks/The Epoch Times
Reporter
A new variant of macOS malware known as ZuRu is targeting Apple users by embedding malicious code and a hacking tool into popular utilities used for remote connections and server management, cybersecurity researchers have warned.
First discovered in 2021, ZuRu has evolved over time and can now infect more apps and in new ways, cybersecurity firm SentinelOne said in a July 10 alert. Notably, the latest strain only works on Macs running the Sonoma 14.1 operating system, which Apple launched in October 2023, or Sequoia, its latest operating system.
Earlier versions of ZuRu were found hidden inside both pirated and legitimate copies of popular tools used by developers and IT professionals such as SecureCRT, Navicat, and Microsoft Remote Desktop for Mac. Most recently, the malware was found in a trojanized version of Termius, an app used for managing remote servers and secure network connections.
“This recent sample uses a new method to trojanize legitimate applications,” wrote Phil Stokes and Dinesh Devadoss, cybersecurity researchers at SentinelOne. They noted that the Trojanized version of Termius has had malicious code added to it, along with a helper program called a command-and-control (C2) implant, which allows attackers to remotely control infected Macs.
This particular C2 implant is based on Khepri, an open-source hacking tool designed to let attackers run commands and gather information from a compromised system, the researchers said. Once installed, the implant gives hackers powerful capabilities, including transferring files to or from the victim’s computer, running or controlling programs on the infected Mac, and executing commands and capturing whatever results or data those commands produce.
“The latest variant of macOS.ZuRu continues the threat actor’s pattern of trojanizing legitimate macOS applications used by developers and IT professionals,” the researchers noted. They added that attackers appear to have shifted from earlier, simpler methods to embedding malware in helper applications, likely in an effort to bypass modern security detection measures.
Related Stories
Apple Announces New App Store Policies, Charges to Avoid Further European Fines
ZuRu was initially reported by a Chinese blogger, and its distribution has included poisoned search results on Baidu—a possible indication of a Chinese-language or China-based operation. SentinelOne researchers said the malware’s command-and-control infrastructure uses Alibaba Cloud IP addresses, suggesting the attackers are renting servers hosted in China. This alone does not confirm the hackers’ nationality or affiliations, however, since such infrastructure can be leased by anyone worldwide.
Meanwhile, the FBI warned last year that hackers linked to the Chinese Communist Party (CCP) have infiltrated critical U.S. infrastructure and are waiting for the right time to strike. Then-FBI Director Christopher Wray said that China-backed hacking groups have proliferated in recent years and been bolstered by the CCP’s military and intelligence agencies’ growing use of artificial intelligence.
Wray warned at the time that CCP-linked hackers’ focus had shifted from stealing intellectual property to penetrating a range of critical sectors, including energy, telecommunications, and water, giving the Chinese regime “the ability to wait for just the right moment to deal a devastating blow.”
More recently, the FBI and three other federal agencies warned of potential Iranian cyberattacks against critical U.S. infrastructure.
If you found this article interesting, please consider supporting traditional journalism
As an independent media without a corporate or billionaire backer, The Epoch Times continues to operate thanks to readers like you.
If you're committed to supporting independent journalism, please consider subscribing—our limited-time introductory offer is just $1 per week.