{
	"id": "1365756f-bc6a-4125-a17b-2661744de256",
	"created_at": "2026-04-06T00:17:53.340202Z",
	"updated_at": "2026-04-10T13:11:41.827571Z",
	"deleted_at": null,
	"sha1_hash": "75a465589bc961da7fcb3997c169765a56f56af0",
	"title": "OSX.Bundlore",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6898843,
	"plain_text": "OSX.Bundlore\r\nBy Ruslana Lishchuk\r\nPublished: 2019-04-17 · Archived: 2026-04-05 12:43:55 UTC\r\nIn this article you will find the following:\r\nWhat is OSX.Bundlore\r\nWhat does Bundlore do\r\nHow Bundlore malware is dangerous to your Mac\r\nHow does macOS Bundlore get installed on users’ computers\r\nHow does macOS Bundlore overcome macOS protection mechanisms\r\nHow the Bundlore malware works\r\nmacOS Bundlore command-and-control communication\r\nmacOS Bundlore privilege escalation, defense evasion, and persistence\r\nmacOS Bundlore advertisement delivery\r\nWhat does Bundlore infrastructure look like?\r\nHow to remove OSX.Bundlore\r\n1. Get rid of virus-related files and folders on your Mac\r\n2. Delete malicious extensions from your browser\r\n3. Remove virus programs\r\nConclusion\r\nSince 2015, macOS Bundlore has been a noticeable phenomenon in the macOS security landscape. It’s known for\r\nusing different techniques to bypass macOS security measures, such as disguising itself as an innocent program.\r\nOnce it makes its way onto your Mac, it bombards you with advertisements. Despite its age, Bundlore is still\r\nactive, which means all Mac users should be wary of it.\r\nWhat is OSX.Bundlore\r\nmacOS Bundlore, also known as OSX.Bundlore and sometimes Crossrider, is a form of adware—a type of\r\nmalware that displays unwanted advertisements and installs software products offered by affiliates. It's an adware\r\ndelivery method whose primary feature is that it installs adware applications in a “bundle,” in other words,\r\ntogether with the applications that the user wants to install themselves.\r\nThe authors of macOS Bundlore try to keep up with Apple’s latest security patches. For example, on macOS\r\nversions prior to 10.13, macOS Bundlore installed a malicious browser extension that hijacked user search. Now,\r\non macOS versions 10.13 and 10.14, custom user profiles are used to perform the same hack because the previous\r\napproach is now blocked by macOS security.\r\nWhat does Bundlore do\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 1 of 18\n\nmacOS Bundlore applications display intrusive pop-up ads, which may redirect users to malicious websites or\r\nprompt them to submit personal information. Infected software may also collect user-system information, such as\r\nIP addresses, queries entered into search engines, URLs visited, pages viewed, passwords, and so on. The adware\r\nalso reduces browser performance.\r\nThe main goal of Bundlore is to earn money for attackers, who are typically rewarded for all the clicks and\r\nimpressions that the adware earns. They can also earn affiliate commission for quietly installing certain software\r\non a user’s Mac without their knowledge.\r\nA note from our experts:\r\nCatching a virus is always frustrating. Luckily, you can remove it using an antivirus solution.\r\nMacKeeper’s Antivirus removes viruses from your Mac and protects it from potential threats.\r\nHere’s how to use Antivirus:\r\n1. Download and install MacKeeper.\r\n2. Select Antivirus in the sidebar when MacKeeper opens.\r\n3. Click Start Scan to find macOS Bundlore or any other malicious software that might be hiding\r\non your machine.\r\n4. Remove the virus from your Mac.\r\nStep 1. MacKeeper \u003e Start Scan \u003e Antivirus\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 2 of 18\n\nStep 2. Remove macOS Bundlore virus\r\nHow Bundlore malware is dangerous to your Mac\r\nYou might assume that Bundlore isn’t as bad as other viruses or spyware on Mac. After all, we’re all used to\r\nseeing ads whenever we browse the internet. However, it’s a lot more than just a slight irritation. In addition to\r\nslowing down your Mac and overwhelming you with pop-ups and banner ads, Bundlore infections will often lead\r\nusers to much nastier malware, viruses, and ransomware.\r\nIf you accidentally click on an ad displayed by Bundlore, there’s a risk that you’ll be redirected to a site that\r\ndownloads dangerous software to your computer. This software might hold your data hostage, or steal sensitive\r\ninformation that can be used to blackmail you or steal from you. Whatever the case may be, Bundlore isn’t\r\nsomething you want to have on your Mac.\r\nHow does macOS Bundlore get installed on users’ computers\r\nmacOS Bundlore uses ads of free software or updates to spread. It’ll often tempt unsuspecting users with helpful\r\ntools and utilities or big updates for third-party software like Adobe Flash Player. Of course, none of these things\r\nare genuine—they’re just designed to fool you into installing the Bundlore virus.\r\nIn general, when software is downloaded from unofficial sources (torrents, pop-up ads, unofficial websites), the\r\nrisk of getting malware like macOS Bundlore is high. Some believe that Macs are immune to threats like this, but\r\nthat’s simply not true—Apple computers get viruses just like Windows PCs.\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 3 of 18\n\nExample of a macOS Bundlore dropper download page\r\nHow does macOS Bundlore overcome macOS protection mechanisms\r\nOver the years, macOS Bundlore has evolved to overcome the latest security protection mechanisms built into\r\nmacOS. In earlier versions of the operating system, such as 10.12 and older, Bundlore exploited flaws on macOS\r\nby posing as an innocent update to a genuine piece of software.\r\nApple fixed these flaws in macOS 10.12.2 by moving TCC.db, an accessibility database that was previously\r\nopen to exploits, under System Integrity Protection (SIP). This ensures that even with root access to your system,\r\nmalware cannot change critical system files and settings.\r\nMoreover, in macOS 10.14, Apple added Mail, Messages, Safari, Home, iTunes data files, and Time Machine\r\nbackups to the list of files protected by SIP. Another new security feature is that Apple removed the possibility of\r\ndownloading third-party extensions that aren't available in the Safari Extensions Gallery.\r\nImportant: \r\nAttackers using Bundlore have found new ways to force their way onto Macs. In more recent versions,\r\nkey functionalities are bundled into one package—not split across multiple binaries and bash scripts.\r\nBundlore has also been made compatible with the latest Safari App Extention format (.appex).\r\nThis makes it easier for Bundlore to pose as an official software update for a popular piece of software\r\nand circumvent macOS protections. What’s more, it uses WebTools to create multiple blocking\r\nwindows, so a user won’t be able to stop the installation process or see what it executes if they become\r\nsuspicious.\r\nHow the Bundlore malware works\r\nRegardless of which version of Bundlore is attacking your machine, the process usually begins with a bash\r\nscript called Install.sh, which downloads an archive with an application called mm-install-macOS from a remote\r\nserver. It then extracts its content to a temporary directory and executes it, like so:\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 4 of 18\n\nIn earlier versions of Bundlore, WebTools modified the TCC.db database to be able to control other applications\r\nwith AppleScript. But now TCC.db is under SIP, third-party applications can’t access and exploit it, even with\r\nadministrator permissions, until SIP is turned off.\r\nWebTools uses interesting techniques to bypass SIP, which are made up of the following steps:\r\nmacOS Bundlore command-and-control communication\r\nmacOS Bundlore privilege escalation, defense evasion, and persistence\r\nmacOS Bundlore advertisement delivery\r\nmacOS Bundlore command-and-control communication\r\nAs we mentioned earlier, macOS Bundlore disguises itself as a software update package, often called\r\nMyMacUpdater. The main purpose of the updater is to fetch malicious packages from a server and install them.\r\nThe updater has its own LaunchAgent, and it checks for updates every 12 hours. If a new version is found, it\r\ndownloads it and then executes the downloaded file.\r\nHere’s what the update method looks like:\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 5 of 18\n\nmacOS Bundlore privilege escalation, defense evasion, and persistence\r\nWebTools, a component of Bundlore, is a Mach-O (short for Mach object) file that invokes an in-built system\r\nfunction to decrypt the following execution stage and send it as input to /bin/bash for execution.\r\nAt the next stage, multiple actions are performed. WebTools checks whether any of its brands are already installed.\r\nBrands are different names for the ad delivery component. In fact, all brands are the same binary file, as we see\r\nin the code here:\r\nNext, WebTools downloads and installs the ad delivery component—an application that injects malicious\r\nJavaScript code with AppleScript into a browser. In our test, it’s called MyCouponsmart, but many others are\r\nlikely in use. This package is installed in the Applications folder.\r\nWebTools then achieves persistence with LaunchAgent or LaunchDaemon, depending on the permission it has. It\r\nmakes a backup for the ad delivery component under the user’s Application Support directory with a dot in front\r\nof the application name, so it’s hidden.\r\nAfter the installation, WebTools gets information about macOS and Safari versions. If a macOS version is 10.12\r\nor older and a Safari version is 10 or older, it modifies the TCC.db database to enable AppleScript access to\r\napplications like Terminal, Safari, or Chrome so that it can interact with them.\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 6 of 18\n\nTo be able to run JavaScript code in Safari, WebTools enables the developer menu and modifies authorizationdb.\r\nIf Firefox is installed, WebTools deploys a malicious browser extension.\r\nIn the end, WebTools runs a post-installation check to verify that an ad delivery component was installed, that\r\npersistence was achieved, and to ensure it can run JavaScript in Safari and Chrome. Installation progress is\r\nreported to a remote server.\r\nmacOS Bundlore advertisement delivery\r\nThe ad delivery’s main executable is a bash script called stubLaunch, which decodes a Base64-encoded .enc\r\nfile inside the ad delivery’s folder and runs it. A decoded binary creates a pipe and fork. The parent process\r\ndecrypts the payload and writes it to the pipe, while the child process reads data from the pipe and sends it to a\r\nnewly created Python process.\r\nA Python custom-encrypted code is written to a pipe payload. But it’s trivial to decrypt it because we have a\r\ndecryption function, as seen here:\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 7 of 18\n\nAfter decrypting, decoding, and decompressing, there’s another obfuscated Python code, including strings\r\nencrypted with the above-mentioned algorithm. We decrypted all strings and renamed all classes and functions.\r\nThe most interesting thing about the final Python code is the following “if” statement:\r\nThe “out of browser” key decides how macOS Bundlore will interact with a browser. If it is off, as a default value,\r\nit’ll run Evil_init.run() method. Run method checks if its files were removed and tries to restore them from a\r\nbackup, as you can see here:\r\nThe inject_browser component, seen below, tries to inject malicious JavaScript code into a browser with\r\nAppleScript and reports the status to a server:\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 8 of 18\n\nIf the “out of browser” key is set to “on,” it’ll run Evil2_init.run()method instead, as you can see below. This run\r\nmethod retrieves RC4-encrypted AppleScript from another server and executes it.\r\nThis decrypted AppleScript checks for running browsers, gets an “offerId” from a URL/server, and runs the\r\nfollowing code to spawn a new window with an advertisement:\r\nWhat does Bundlore infrastructure look like?\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 9 of 18\n\nMany of the servers and domains used by Bundlore when we last tested it are no longer active, however, they\r\nseemed to remain live for a lot longer than others used to spread malware. We’re not just talking weeks or months\r\n—some were live for years before they were eventually taken down.\r\nFor example, the service.macinstallerinfo.com domain, which went live in 2015, was still being used in 2019.\r\nLike others used by Bundlore, it was hosted on a Rackspace server in the US. Of course, the details of all domain\r\nregistrants have been hidden by an anonymization service, domainsbyproxy.\r\nAnother interesting fact is that all domains related to this adware have subdomain events where all tracking\r\ninformation is sent by adware installers, and all of them point to one IP address, which is also located on the same\r\nhosting service. This shows a connection for all components of macOS Bundlore:\r\nHow to remove OSX.Bundlore\r\nWhen it comes to removing Bundlore from Mac, there are a number of steps you should take, including:\r\n1. Get rid of virus-related files and folders on your Mac\r\n2. Delete malicious extensions from your browser\r\n3. Remove virus programs\r\n1. Get rid of virus-related files and folders on your Mac\r\nOne way to delete malware from Mac, particularly Bundlore, is to manually remove all traces of the software from\r\nthe folders it’s installed to. You can do this like so:\r\n1. Open Finder on your Mac, then select Go \u003e Go to Folder in the menu bar.\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 10 of 18\n\n2. Enter the location of one of the folders used by Bundlore, then press enter.\r\n3. Delete all files associated with the Bundlore adware. First, right-click the file, then select Move to Trash.\r\nYou’ll need to know the name of the adware application Bundlore is using, such as MyMacUpdater,\r\nMyCouponsmart, and Myshopcoupon.\r\n4. Finally, empty the Trash folder.\r\nStep 1. In Finder, click Go \u003e Go to Folder\r\nStep 2. Enter a folder location and hit enter\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 11 of 18\n\nStep 3. Delete files associated with Bundlore\r\nStep 4. Empty the Trash\r\nThe folders where you’ll find associated files for these programs are:\r\n/Library/Application Support/\r\n/Library/LaunchAgents/\r\n~/Library/LaunchAgents/\r\n/Library/LaunchDemons/\r\n2. Delete malicious extensions from your browser\r\nTo delete Safari malware and other malicious extensions from your browser, follow these steps:\r\n1. Open Safari, then click Safari \u003e Settings in the menu bar.\r\n2. Go to the Extensions tab.\r\n3. Select any malicious extensions you don’t recognize, then click the Uninstall button.\r\n4. If prompted, click Show in Finder.\r\n5. Right-click the app, then select Move to Trash.\r\n6. Empty the Trash to delete the extension.\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 12 of 18\n\nStep 1. Select Safari \u003e Settings in the menu bar\r\nStep 2. Go to the Extensions tab\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 13 of 18\n\nStep 3. Select an extension, then click Uninstall\r\nStep 4. If prompted, click Show in Finder\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 14 of 18\n\nStep 5. Right-click the app, then select Move to Trash\r\nStep 6. Empty the Trash\r\n3. Remove virus programs\r\nIf your system is infected with macOS Bundlore or any other malicious software, make sure you use a reliable\r\nanti-malware solution to erase it. We recommend you check MacBook for a virus with MacKeeper’s Antivirus,\r\nthen removing any threats that are found. Here’s how:\r\n1. Open MacKeeeper, then select Antivirus in the sidebar.\r\n2. Click Start Scan then wait for your Mac to be examined.\r\n3. If any threats are found, click Move to Quarantine. Bundlore threats are usually named things like\r\nadware.osx.bundlore, macos_trojan_bundlore_8, or win32/bundlore.\r\n4. Click Restart when prompted.\r\n5. When MacKeeper reopens, click Delete to remove all macOS infections.\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 15 of 18\n\nStep 1. In MacKeeper, select Antivirus then click Start Scan\r\nStep 2. If any threats are found, click Move to Quarantine\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 16 of 18\n\nStep 3. Click Restart when prompted\r\nStep 4. When MacKeeper reopens, click Delete\r\nYou can also uninstall virus programs manually if they haven’t been hidden, like so:\r\n1. Open Finder, then select Applications.\r\n2. Right-click the virus program, then select Move to Trash.\r\n3. Empty the Trash to uninstall the program.\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 17 of 18\n\nStep 1. Finder \u003e Applications, right-click the virus then Move to Trash\r\nStep 2. Empty the Trash folder\r\nA nuance to know:\r\nWhile some Bundlore adware is visible in the Applications folder, most macOS malware and virus\r\ninfections are hidden from the user and are much more difficult to delete manually. If you want to find\r\nthese files or detect a Trojan virus on Mac, a tool like MacKeeper’s Antivirus is essential.\r\nConclusion\r\nWhile macOS Bundlore or OSX.Bundlore may seem like little more than an annoyance, it’s actually a very\r\ndangerous piece of adware that invades your privacy and tricks you into installing other malicious software. If you\r\nencounter a Bundlore infection, it’s important to remove it as soon as possible.\r\nFollow the steps outlined above to remove all traces of Bundlore from your machine and delete any hidden\r\nmalware threats using MacKeeper’s Antivirus. It can find and delete all adware, spyware, and other viruses from\r\nyour Mac. Besides, it uses real-time protection to identify new suspicious issues as soon as they occur.\r\nSource: https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nhttps://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/\r\nPage 18 of 18\n\n  https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/ \nStep 1. Select Safari \u003e Settings in the menu bar\nStep 2. Go to the Extensions tab \n   Page 13 of 18\n\n https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/  \nStep 1. In MacKeeper, select Antivirus then click Start Scan\nStep 2. If any threats are found, click Move to Quarantine \n  Page 16 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/"
	],
	"report_names": [
		"610-macos-bundlore-adware-analysis"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434673,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75a465589bc961da7fcb3997c169765a56f56af0.pdf",
		"text": "https://archive.orkl.eu/75a465589bc961da7fcb3997c169765a56f56af0.txt",
		"img": "https://archive.orkl.eu/75a465589bc961da7fcb3997c169765a56f56af0.jpg"
	}
}