{
	"id": "56f00b50-1c52-4509-bd7d-4ae272fb377d",
	"created_at": "2026-04-06T00:11:16.52848Z",
	"updated_at": "2026-04-10T03:20:49.919978Z",
	"deleted_at": null,
	"sha1_hash": "47e74ca255cfe2502a98815e3c62eed6bbcb9d7a",
	"title": "NukeSped Copies Fileless Code From Bundlore, Leaves It Unused",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 833980,
	"plain_text": "NukeSped Copies Fileless Code From Bundlore, Leaves It Unused\r\nBy Luis Magisa, Ariel Neimond Lazaro ( words)\r\nPublished: 2021-06-22 · Archived: 2026-04-05 20:30:49 UTC\r\nWhile investigating samples of NukeSped, a remote access trojan (RAT), Trend Micro came across several Bundloreopen on\r\na new tab adware samples using the same fileless routine that was spotted in NukeSped. The backdoor has been attributed to\r\nthe cybercriminal group Lazarus, which has been active since at least 2014news- cybercrime-and-digital-threats.\r\nThere are multiple variants of NukeSped, which is designed to run on 32-bit systems and uses encrypted strings to evade\r\ndetection. Recently, a more sophisticated form of this trojan called ThreatNeedleopen on a new tab surfaced as part\r\nof a cyberespionage campaign by Lazarus.  \r\nThe encrypted Mach-O file discovered in these samples has upgraded Bundlore — a malware family that installs adware in\r\na target’s device under the guise of downloading legitimate applications — to a stealthier and memory-resident\r\nthreat. Bundlore has also been known to target macOS devices and was linked to an attack on macOS Catalina usersopen on\r\na new tab last year.    \r\nOur analysis of the file Ants2WhaleHelper used by Lazarus led us to detect it as NukeSped. Another file with NukeSped\r\ndetection, unioncryptoupdater, was also found in VirusTotal. Both contained a routine that looks to be based on a GitHub\r\nsubmissionopen on a new tab. Curiously, however, neither of these files seems to make use of this routine.  \r\nUsing Interactive Disassembler Pro (IDA Pro) on the Ants2WhaleHelper file revealed its main\r\npayload as _mapBuffer (Figure 1), which appears to be a modified version of the _memory_exec function (Figure 2). This\r\nfunction looks like it was based on code from the GitHub post; however, there were no references that point to\r\nthe _memory_exec function.\r\nFigure 1. The _mapBuffer function \r\nhttps://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html\r\nPage 1 of 7\n\nFigure 2. The _memory_exec function copied from the GitHub post \r\nMoreover, the payload has a _resolve_symbol function that does not seem to be used. It also does not appear to be necessary,\r\nas evidenced in Figure 3. NukeSped typically retrieves and launches its payload from a web server, so it does not need the\r\nsuperfluous _resolve_symbol function, which locates data internally. As Figure 4 shows, searching for the operation codes of\r\nthis function on VirusTotal led to its detection in 201 files. The results yielded only\r\ntwo NukeSped samples while the rest were Bundlore samples.  \r\nFigure 3. The _resolve_symbol functions of NukeSped (left) vs. Bundlore (right) \r\nhttps://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html\r\nPage 2 of 7\n\nFigure 4. The searched operation codes \r\nSimilarly, a search using VirusTotal's Retrohunt yielded 273 results; most of these were Bundlore files and only\r\nthree were Nukesped files. However, one of these Nukesped samples was verified as the parent of a Nukesped file from the\r\nprevious search. Among the Bundlore samples discovered, the oldest one dates back to May of last year. Further\r\ninvestigation of these Bundlore samples from the VirusTotal query revealed that these were indeed using fileless\r\nroutines, enabling Bundlore to execute a payload directly from memory.  \r\nBundlore’s fileless routine\r\nOur study of the Bundlore samples showed that these utilise the same functions that were found unused in\r\nthe NukeSped samples. As seen in Figure 5, these were obfuscated, as they were under random names when disassembled in\r\nIDA Pro. While the functions have some differences, the routine for in-memory file execution remains the same (Figure 6\r\nand 8).  \r\nFigure 5. The obfuscated functions \r\nhttps://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html\r\nPage 3 of 7\n\nFigure 6. The disassembly of NukeSped (left column) vs. Bundlore (right column) samples \r\nThe main routines of one of the Bundlore samples\r\n(sha256:0a3a5854d1ae3f5712774a4eebd819f9e4e3946f36488b4e342f2dd32c8e5db2) are as follows: \r\n1. Decrypt the __DATA.__data section to reveal the embedded Mach-O file, as shown in Figure 7. The decryption\r\nuses an XOR key that is incremented per cycle: for example, a 0xDD increment by 0x2A, 0xDD, 0x00, 0x2A, 0x54,\r\n0x7E, 0xA8, 0xD2, 0xFC, 0x00, and so on.\r\n \r\nFigure 7. The decryption routine of the __DATA.__data section \r\nhttps://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html\r\nPage 4 of 7\n\n2. Invoke a function called NSCreateObjectFileImageFromMemory to create an adware image from the Mach-O file in\r\nmemory. Afterwards, NSLinkModule is called to link the malicious image to the main executable's image library. The\r\nMach-O file format is changed from an executable (0x02) to a bundle (0x08) before it can\r\ncall NSCreateObjectFileImageFromMemory, as was shown in Figure 6.  \r\n3. Parse the Mach-O file's header structure in memory for value(LC_MAIN), a load command that has the value\r\n0x80000028. This command contains data such as the offset of the Mach-O file's entry point (Figure 8). Afterward,\r\nthe adware retrieves the offset and goes to the entry point. \r\nFigure 8. Finding the entry point of the malicious image in NukeSped (left column) vs. Bundlore (right column) \r\nBundlore’s Mach-O file runs in memory\r\nThe decryption keys and increment values differ across the Bundlore samples. To gain a better understanding of the\r\nembedded file, we created a Python script to decrypt and extract their embedded Mach-O files. By doing so, we were able to\r\nobserve one such decrypted Mach-O file (sha256:\r\na7b6639d9fcdb13ae5444818e1c35fba4ffed90d9f33849d3e6f9b3ba8443bea) with the routines shown in Figure 9. It\r\nconnects to a target URL (13636337101185210173363631[.]cloudfront[.]net/?cc-00\u0026), but the\r\naddress varies among the samples. An app bundle called Player.app, which poses as Flash Player, is then downloaded and\r\nextracted into a /tmp directory. The chmod 777 command is used on the extracted app bundle, after which the\r\nfake application is launched. While it performs these routines, Bundlore displays a fraudulent error message (Figure\r\n10). Upon completion, it goes dormant by calling the sleep function and looping it repeatedly. \r\nThere were no significant differences seen when running the Bundlore samples in macOS Big Sur and macOS Catalina.\r\nHowever, our researchers found that with the default settings of macOS, in which the System Integrity Protection (SIP) and\r\nGatekeeper security features are enabled, the Bundlore samples are blocked and are unable to run. This was observed in both\r\nhttps://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html\r\nPage 5 of 7\n\nmacOS Catalina and macOS Big Sur environments; similarly, the Bundlore samples were also blocked and unable to run\r\nunder the default settings of macOS Monterey, Apple's recently released operating system.\r\nFigure 9. The decrypted Mach-O file’s main routines \r\nFigure 10. The fake error message displayed by Player.app\r\nTrend Micro Solutions\r\nContinuous vigilance against threat groups is an important aspect of keeping up with — if not staying one step ahead of —\r\nthreats. To protect systems from this type of threat, users can use multilayered security solutions like Trend Micro Antivirus\r\nfor Macproducts and Trend Micro Protection Suitesproducts that help detect and block attacks. Trend Micro Vision\r\nOne™️open on a new tab also provides visibility, correlated detection, and behaviour monitoring across multiple layers,\r\nsuch as emails, endpoints, servers, and cloud workloads. This ensures that no significant incidents go unnoticed and allows\r\nfaster response to threats before they can do any real damage to the system. \r\nMITRE Tactics, Techniques, and Procedures (TTPs) of Bundlore\r\nInitial Access Execution\r\nPrivilege\r\nEscalation\r\nDefence Evasion\r\nCommand and\r\nControl (C\u0026C)\r\nDrive-by\r\ncompromise\r\nUser execution Process injection\r\nDeobfuscate/Decode files or\r\ninformation\r\nWeb service\r\n      Masquerading  \r\n      Process injection   \r\nhttps://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html\r\nPage 6 of 7\n\nIndicators of Compromise (IOCs)\r\nsha256 File Detection\r\nbb430087484c1f4587c54efc75681eb60cf70956ef2a999a75ce7b563b8bd694 Ants2WhaleHelper Trojan.MacOS.Agent.PFH\r\n631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680 unioncryptoupdater Trojan.MacOS.LAZARUS.A\r\n0a3a5854d1ae3f5712774a4eebd819f9e4e3946f36488b4e342f2dd32c8e5db2 smokehouses Adware.MacOS.BUNDLORE.RSM\r\na7b6639d9fcdb13ae5444818e1c35fba4ffed90d9f33849d3e6f9b3ba8443bea\r\nEmbedded Mach-O\r\nAdware.MacOS.BUNDLORE.MA\r\nSource: https://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html\r\nhttps://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html"
	],
	"report_names": [
		"nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434276,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47e74ca255cfe2502a98815e3c62eed6bbcb9d7a.pdf",
		"text": "https://archive.orkl.eu/47e74ca255cfe2502a98815e3c62eed6bbcb9d7a.txt",
		"img": "https://archive.orkl.eu/47e74ca255cfe2502a98815e3c62eed6bbcb9d7a.jpg"
	}
}