A new variant of the ZuRu malware has been identified targeting macOS users, specifically developers, through a trojanized version of the Termius app. This malicious version of Termius, a legitimate business tool, grants attackers full remote access and uses stealthy command-and-control (C2) beacons to evade detection. The malware also features an auto-update mechanism that helps it avoid security measures. Researchers have noted that this variant employs a modified Khepri C2 framework to maintain persistence and conceal its activities within the doctored Termius application.