A new variant of macOS.ZuRu malware has been discovered, targeting users through a trojanized version of the Termius app. This backdoor, initially noted in 2021, now uses a modified Khepri C2 framework for post-infection operations. The malware is delivered via a .dmg disk image containing a hacked version of Termius.app. It adds two executables to the embedded Termius Helper.app and uses a new method to trojanize legitimate applications. The malware installs persistence via a LaunchDaemon and includes an md5 updater mechanism. The payload obtained from the C2 is a modified Khepri beacon with capabilities for file transfer, system reconnaissance, and command execution. The threat actor continues to target developers and IT professionals, adapting their techniques to evade detection.