Table of contents
A newly observed variant of ZuRu malware is once again targeting macOS users—this time by hiding inside a doctored version of a legitimate app, Termius. It’s the latest example of a growing trend: threat actors exploiting user trust to gain a foothold, even on devices often seen as more secure.
But as familiar as this tactic is, it continues to succeed.
The illusion of safety on macOS
MacOS has a reputation for being more secure than Windows, and to some extent, that’s true.
AV-Test reported in 2023 that over 95% of new malware targets Windows, while macOS accounts for around 6–7%.
Native features like Gatekeeper, software notarization requirements, and SIP (System Integrity Protection) create real hurdles for malware authors. But they don’t make macOS immune. In fact, most macOS malware follows the usual delivery pattern: disguise malicious code inside an app that looks safe and trick the user into launching it.
“ZuRu is just hiding behind a legitimate app, even the signature is ad-hoc,” explained Slava Konstantinov, Chief Architect of Mac Security at ThreatLocker. “That means the user will need to click to approve a lot of pop-ups and buttons before it can even run on a Mac.”
The process is clunky but effective. ZuRu replaced the legitimate code signature of Termius with an “ad hoc” signature. Ad hoc signatures don’t contain the necessary developer information or Developer ID required for verification and validation of legitimate applications. While suitable for testing purposes, code signed with ad hoc signatures cannot be distributed on the App Store, leaving malware developers to dupe unsuspecting users to download the compromised software from elsewhere. Attackers rely on social engineering and human nature to get users to download and launch an application. Once downloaded, macOS flags the app as unverified. Users must manually override Gatekeeper, dig into System Settings, and repeatedly click “Open Anyway” and “Open” to bypass protections. By the time they’re finished, the malware is running.
Sophistication isn’t always required
ZuRu doesn’t rely on advanced exploits or stolen credentials. That’s part of what makes it dangerous: it blends in with the noise of a lot of other less sophisticated malware.
“More sophisticated malware would have a legit signature, which they stole or registered somehow with Apple,” Konstantinov said. “But Apple usually revokes these signatures pretty fast after malware is discovered.”
Even more advanced strains might bypass Gatekeeper entirely by exploiting zero-day vulnerabilities. “This tactic is used in even more sophisticated attacks because to find and use such an exploit costs a lot of money,” he added.
But in most cases, threat actors don’t need to go that far. Users often prioritize convenience over safety and will voluntarily bypass security features standing between them and what they want. Social engineering is cheaper, easier, and just as effective against users who are willing to override default protections.
“I’m not saying it’s not bad,” Konstantinov clarified, “because users usually allow apps to run on their computer even if Apple makes it difficult for them to do it. But the delivery method is similar to many other malware on the market.”
The real fix: Don’t let it run in the first place
MacOS malware is evolving, but its success still hinges on the same flaw: user action. That’s why detection and alerts aren’t enough. The only way to stop malicious apps like ZuRu is to prevent them from executing in the first place.
ThreatLocker® blocks unapproved applications by default, even if the user downloads them and clicks through every warning. With Application Allowlisting, Ringfencing™, and Storage Control for macOS, you can enforce policies that protect endpoints from tampered business tools, rogue downloads, and risky behavior without relying on users to make the right call.
Want to learn how ThreatLocker protects macOS environments?
Schedule a demo or contact our team to see how a prevention-first approach can lock down your Apple devices.
ABOUT THE AUTHOR
