OSX/ZuRu Mac malware spread through Trojan apps

Posted on by

OSX/ZuRu Mac Trojan horse malware disguised as fake iTerm2 app.

A new variety of Mac Trojan horse malware has been caught in the wild. And, surprisingly, the latest Trojan horses don’t claim to be Adobe Flash Player installers this time.

Seekers of several macOS applications—notably including iTerm2, a third-party Terminal app for Mac—may have unintentionally downloaded an OSX/ZuRu Trojan horse.

Let’s examine this recent malware, how it spread, and how to eliminate an infection.

How was OSX/ZuRu discovered?

Pan Xiaopan discovered the first in-the-wild sample of OSX/ZuRu while searching for the Mac app iTerm2 on the Chinese search engine Baidu.

Baidu poisoned search results for iTerm2 led to OSX/ZuRu malware.

Baidu poisoned search results for iTerm2 led to OSX/ZuRu malware. (Screenshot: Pan Xiaopan)

Rather than the top result being the legitimate iTerm2, the first link actually led to a malware site designed to look virtually indistinguishable from the legitimate software’s homepage. This technique of introducing malicious results into search queries is known as search engine poisoning.

Attempting to download iTerm2 from the lookalike site would instead download a disk image infected with an OSX/ZuRu Trojan horse.

The real iTerm2 site is hosted at, which appeared as the second result in the Baidu search. The malicious site that linked to the Trojan disk image used a very similar domain: iterm2[.]net.

Baidu has reportedly removed the fraudulent link from its search results.

Researchers later found several other disk images infected with OSX/ZuRu, disguised as other Mac software including Microsoft Remote Desktop, Navicat, SecureCRT, and also reportedly SnailSVN.

What does OSX/ZuRu do to an infected Mac?

If a user is tricked into running the Trojan horse, OSX/ZuRu downloads and runs a Python script that collects various information from an infected Mac, including but not limited to:

  • the user’s macOS Keychain database
  • the user’s bash and zsh Terminal command history
  • the user’s iTerm2 saved state
  • the user’s ssh keys and known hosts
  • the system’s /etc/hosts file

Many of these files could contain highly sensitive information such as passwords and private keys.

The malware then attempts to exfiltrate a zip archive of this data to the server from which the Python script was downloaded.

An outbound firewall, such as Intego NetBarrier X9, can block malware from exfiltrating data from your Mac.

How can one remove or prevent OSX/ZuRu and other threats?

Given that Apple’s threat mitigation features such as notarization, Gatekeeper, XProtect, and MRT do not block many types of threats, it is evident that Apple’s own macOS protection methods are insufficient by themselves.

Related: Do Macs need antivirus software?

Do Macs need antivirus software?

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate OSX/ZuRu malware.

VirusBarrier is designed by Mac security experts, and it protects against a much wider variety of malware than Apple’s mitigation methods.

If you believe your Mac may have been infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer that includes real-time scanning, such as Intego VirusBarrier X9—which also protects Macs from M1-native malware, cross-platform malware, and more. Intego recently earned a 100% detection rating for Mac malware in two independent tests conducted by AV-Comparatives and AV-TEST.

Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from these threats. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.

Indicators of compromise (IoCs)

Following are some specific ways to identify whether a Mac may have been infected by OSX/ZuRu.

Apple has since revoked the Developer ID that was used for signing this malware. The developer name and Team ID of the revoked dev account is:


The following SHA-256 file hashes belong to known OSX/ZuRu files associated with this malware campaign.


The following domains and IP address have been observed to have ties with this malware:


Any recent network traffic to or from any of these domains should be considered a possible sign of an infection.

Is OSX/ZuRu known by any other names?

Other vendors’ names for threat components from this malware campaign may include variations of: DMG/ZuRu.A, Mac.BackDoor.CobaltStrike.2, Mac.Trojan.ZuRu, MacOS:CobalStrike-C, MacOS:ZuRu-A, OSX/CobaltStrike.A, OSX/CobaltStrike.Beacon.B, OSX/iTerm, OSX/Spy.ZuRu.A, OSX/ZuRu-A, Python:Agent-CC, Trojan-Spy.OSX.Zuru, Trojan:MacOS/Multiverze, Trojan:Script/Wacatac.B, Trojan:Win32/Casdet!rfn, Trojan.MAC.ZuRu.A, Trojan.MacOS.ZURU, Trojan.OSX.Zuru, and Win32.Trojan-spy.Zuru.

How can I learn more?

For more technical details of the recent OSX/ZuRu campaign, you can read Patrick Wardle’s write-up (and Pan Xiaopan’s original write-up, in Chinese).

We discussed OSX/ZuRu on episode 206 of the Intego Mac Podcast. Be sure to follow the podcast to make sure you don’t miss any episodes! You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news.

Be sure to follow Intego on your favorite social media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →