A new SentinelOne report reveals new artifacts associated with ZuRu, an Apple macOS malware. ZuRu typically spreads via trojanized versions of legitimate software. In May 2025, the malware was observed mimicking a cross platform SSH client and server management tool called Termius. 

Initially documented in September 2021, ZuRu was involved in a campaign hijacking searches for iTerm2 (a macOS Terminal app). ZuRu predominantly relies on sponsored web searches to spread, suggesting the malicious actors responsible for this malware are opportunistic rather than targeted. 

Below, security leaders share insights on this malware as well as risk mitigation strategies. 

Security Leaders Weigh In

Ms. Nivedita Murthy, Senior Staff Consultant at Black Duck:

MacOS users should be cautious of the evolving ZuRu trojan, which is being embedded in legitimate software. To protect themselves, users should adhere to software security best practices, such as downloading applications from trusted sources, such as the App or Play Store, keeping software up-to-date, and avoiding suspicious links. Software is an essential driver of growth and innovation at every company; therefore, IT departments should implement stricter controls on software installation, including restricting who can install software and from where. When updating software, a thorough review should be conducted to ensure that it doesn’t introduce new, undocumented functionality or compromise company data.

Heath Renfrow, Chief Information Security Officer and Co-founder at Fenix24:

The core issue isn’t a novel vulnerability in macOS — it’s social engineering. Organizations must double down on user education to reinforce that all software, even widely-used free tools, should only be downloaded from verified developer websites or trusted app stores. Avoiding sponsored links in search results is key.

ZuRu uses a modified version of the Khepri post-exploitation framework, meaning EDR tools capable of behavioral analytics (like CrowdStrike Falcon, SentinelOne, or eSentire) are essential. This is not just about detecting initial access — it’s about visibility into privilege escalation, persistence, and lateral movement. Teams should proactively threat hunt for signs of modified .app bundles and unusual process behavior related to Terminal utilities.

Mac admins should enforce code signing policies and use MDM solutions to restrict the execution of unsigned or improperly signed apps. While Apple’s Gatekeeper helps, in enterprise settings, more granular controls are often needed to stop ad hoc-signed binaries from executing.

Organizations often lack a tested IR playbook for macOS. This resurgence is a reminder to develop specific detection and response protocols for Apple endpoints — especially as more remote and hybrid workers rely on macOS tools for SSH, RDP, and database access.

Bottom line:

ZuRu’s distribution method and tooling indicate it’s less about targeting specific organizations and more about casting a wide net over users downloading administrative tools. The “fix” is layered: security controls, endpoint visibility, user discipline, and a plan for what to do when a Mac is compromised.

Eric Schwake, Director of Cybersecurity Strategy at Salt Security:

Although the macOS ZuRu malware is primarily a concern for endpoint and supply chain security, its broader implications affect an organization’s overall security, especially regarding APIs.

The risk lies in how compromised endpoints can directly access critical systems and data, much of which is managed and accessed through APIs. For example, trojanized tools such as SSH clients or database utilities can be used to steal credentials or remotely control systems. Attackers can then exploit legitimate API access to backend servers, cloud environments, and sensitive databases, enabling them to execute unauthorized commands, exfiltrate data, or alter services via APIs.

To defend against these threats, organizations should adopt a multi-layered security strategy. This involves strict software supply chain controls to prevent malicious applications from entering the environment, advanced Endpoint Detection and Response (EDR) tools to identify and quarantine malware such as ZuRu, and strong Identity and Access Management (IAM) to safeguard credentials. Crucially, robust API posture governance ensures APIs are designed with least privilege and configured adequately from the outset, complementing behavioral threat detection capabilities that actively monitor for suspicious API activity originating from potentially compromised endpoints. Such a comprehensive approach helps ensure that even if an endpoint is compromised, ongoing attempts to misuse credentials or access APIs are detected and blocked.