ZuRu Malware Infects macOS Apps Targeting Developers, Apple Silicon Systems

Cybercriminals have been increasingly targeting macOS users with a sophisticated malware variant known as ZuRu, which stealthily trojanizes legitimate applications used for server management and remote connections, such as Termius, SecureCRT, Navicat, and Microsoft Remote Desktop. This malware, which specifically targets Macs running the latest Sonoma 14.1 operating system, embeds malicious code and remote-control tools within the app bundles, allowing it to launch immediately upon execution without detection. Attackers distribute ZuRu through poisoned search engine results, redirecting users to fake download pages that offer compromised software with embedded malware payloads. ZuRu establishes persistent access by disguising itself under system-like service names and communicates with command-and-control servers using encrypted channels that mimic legitimate DNS traffic, making detection difficult. The attackers bypass macOS code-signing protections by replacing original developer signatures with their own, and the malware’s loader ensures the spread of uncorrupted payloads by verifying hash values and downloading updated versions when necessary. Security researchers emphasize that ZuRu continues to succeed in environments lacking robust endpoint protection, highlighting the growing threat to macOS users who previously felt relatively immune to such attacks.