Mac Apps Trojan Attack: Hackers Hide Trojan in Legitimate Developer Tools

targets trusted Mac applications by injecting a stealthy trojan called macOS.ZuRu. This malware hides inside legitimate developer tools, fooling users and security systems alike.

How the Mac Apps Trojan Attack Operates

Hackers bundle the ZuRu trojan with popular Mac applications. They manipulate search engine results to promote these compromised packages. Recently, the Termius app—a widely used SSH client and server management tool—was discovered to be infected. Once installed, the trojan operates silently in the background, giving attackers ongoing control over the victim’s device. This includes executing commands remotely and downloading additional malicious payloads.

The macOS.ZuRu trojan was first detected in China in 2021. Since then, hackers have trojanized several well-known developer tools like SecureCRT, Navicat, and Microsoft’s Remote Desktop for Mac. The recent surge in the Mac Apps Trojan Attack involves a new variant with enhanced command and control features. These allow hackers to maintain persistence and operate undetected.

Attack Techniques and Impact

Attackers bypass macOS code signing by replacing original developer signatures with their own. This tricks the system and users into trusting compromised apps. The trojan is delivered through disk images (.dmg) that look almost identical to legitimate apps but are slightly larger due to malicious files.

Once executed, both the trojan and the genuine app run together, hiding malicious activity. The trojan targets Macs running Sonoma 14.1 or later. It offers hackers capabilities like file transfers, system reconnaissance, process control, and output capture. These features enable extensive surveillance and control of infected machines.

Security researchers from SentinelOne warn the Mac Apps Trojan Attack exploits weak endpoint defenses. The malware thrives in environments without strong security measures.

Protecting Against Mac Apps Trojan Attacks

Users should only download Mac applications from official or verified sources. Checking digital signatures is critical to spot tampered apps. Regular updates to macOS and security software reduce risks. Developers and organizations must strengthen endpoint protections and monitor for suspicious activity. Awareness of such attacks and cautious behavior remain the best defenses.