{
  "name": "macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App",
  "slug": "macoszuru-resurfaces-modified-khepri-c2-hides-inside-doctored-termius-app",
  "description": "A new variant of macOS.ZuRu malware has been discovered, targeting users through a trojanized version of the Termius app. This backdoor, initially noted in 2021, now uses a modified Khepri C2 framework for post-infection operations. The malware is delivered via a .dmg disk image containing a hacked version of Termius.app. It adds two executables to the embedded Termius Helper.app and uses a new method to trojanize legitimate applications. The malware installs persistence via a LaunchDaemon and includes an md5 updater mechanism. The payload obtained from the C2 is a modified Khepri beacon with capabilities for file transfer, system reconnaissance, and command execution. The threat actor continues to target developers and IT professionals, adapting their techniques to evade detection.",
  "published": "2025-07-10T15:53:18+00:00",
  "created_at": "2025-07-10T15:53:18+00:00",
  "modified_at": "2025-07-13T08:47:55+00:00",
  "created_at_opencti": "2025-07-10T15:53:18+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-07-10",
    "backdoor",
    "c2 beacon",
    "khepri",
    "khepri c2",
    "macos",
    "macos.zuru",
    "persistence",
    "termius",
    "trojan",
    "zuru"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "download.termius.info"
      },
      {
        "id": "",
        "name": "ctl01.termius.fun"
      },
      {
        "id": "",
        "name": "download.finalshell.cc"
      },
      {
        "id": "",
        "name": "ctl01.macnavicat.com"
      }
    ],
    "attack_patterns": [
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ]
  },
  "external_refs": [
    "https://www.sentinelone.com/blog/macos-zuru-resurfaces-modified-khepri-c2-hides-inside-doctored-termius-app",
    "https://otx.alienvault.com/pulse/686ffe0e4f96bdedcb713829"
  ]
}