Further, for an app with a very professionally designed website, the disk image file is quite unpolished. The real iTerm2 is distributed in a zip file, rather than a disk image. The disk image throws the first red flag. The malware comes in a disk image that contains a link to the Applications folder with a Chinese name