S0482: Bundlore
Analyst context for executives and security teams
Bundlore matters because it is macOS adware that MITRE notes has features associated with more traditional backdoors. For leaders, the risk is not just nuisance adware: the ATT&CK relationships show behaviors spanning user-driven execution, scripting, persistence, discovery, web-based command-and-control, file transfer, possible exfiltration over alternate protocols, and stealth. That makes it a useful test case for whether macOS endpoints are covered with the same seriousness as Windows systems.
Executive priority
Prioritize Bundlore as a macOS control-validation scenario. Ask whether the organization can prove visibility into macOS downloads, user-opened files, scripting interpreters, Launch Agents/Daemons, browser extensions, SSH authorized keys, unusual outbound web traffic, and security-tool tampering. This is relevant to business continuity and audit readiness because unmanaged macOS fleets, weak browser governance, and missing endpoint telemetry can turn “adware” into a broader incident-response and data-risk problem.
Technical view
ATT&CK provides no official detection text for Bundlore, so SOC and detection teams should build coverage from the linked techniques. Validate macOS telemetry for T1204.002 user execution, T1189 drive-by compromise context, T1059.002 AppleScript, T1059.004 Unix Shell, T1059.006 Python, T1059.007 JavaScript, T1543.001 Launch Agent and T1543.004 Launch Daemon persistence, T1176.001 browser extensions, T1098.004 SSH authorized_keys modification, T1057/T1082/T1518 discovery, T1071.001 web protocols, T1105 tool transfer, T1048 alternate-protocol exfiltration, and stealth/defense-impairment behaviors including T1027, T1140, T1036.005, T1222.002, T1564, and the supplied T1685 relationship. Because the object platform is macOS, prioritize macOS-specific validation and treat technique platform mismatches as items requiring local confirmation.
Likely telemetry
- macOS endpoint process creation and command-line telemetry, including osascript, shell, Python, and JavaScript runtime activity
- File creation/modification events for downloaded files, hidden files, permission changes, and obfuscated or decoded payload artifacts
- Launch Agent and Launch Daemon plist creation or modification in standard macOS launch locations
- Browser extension inventory and extension installation/change events
- SSH authorized_keys file creation or modification under user home directories
Detection direction
- Do not rely on an adware label alone; tune for the combination of installer/user execution, scripting, persistence, discovery, and outbound communications.
- Baseline legitimate macOS administration activity so AppleScript, shell, Python, JavaScript, Launch Agents/Daemons, and permission changes do not generate unmanageable false positives.
- Correlate persistence artifacts with recent downloads, browser activity, interpreter execution, and new external network connections.
- Review browser-extension monitoring; this is a common blind spot on macOS fleets and is directly represented by the ATT&CK relationship to T1176.001.
- Validate egress visibility beyond standard web proxy logs, because relationships include web protocols, ingress tool transfer, and exfiltration over alternative protocol.
Mitigation priorities
- Enforce managed macOS software installation controls and reduce unmanaged user execution of downloaded files where business-appropriate.
- Govern browser extensions through policy, inventory, and approval workflows.
- Limit unnecessary local administrator rights and educate users on suspicious credential or privilege prompts.
- Monitor and control Launch Agents, Launch Daemons, SSH authorized_keys, hidden files, and permission changes on macOS endpoints.
- Maintain endpoint security and logging-agent tamper resistance and alerting for health degradation.
Analyst notes and limits
The strongest defensive value is using Bundlore as a macOS coverage assessment across execution, persistence, browser, identity-adjacent SSH key, discovery, C2, transfer, exfiltration, and stealth behaviors. The object has no aliases, no official detection guidance, and no object-level tactics specified, so relationship-driven ATT&CK techniques are the basis for this take.
This summary uses only the supplied ATT&CK STIX fields, external reference, and relationships. It does not establish current activity, specific victim exposure, attribution, exploit chain details, or guaranteed detection logic. Local macOS fleet composition, telemetry quality, browser policy, network architecture, and endpoint control configuration are required to determine actual risk and coverage.
Bundlore
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | Bundlore uses the |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Bundlore has disguised a malicious .app file as a Flash Player update.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1082 | System Information Discovery | Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using |
| Enterprise | T1057 | Process Discovery | Bundlore has used the |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Bundlore has leveraged /bin/sh and /bin/bash to execute commands on the victim machine.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1564 | Hide Artifacts | Bundlore uses the |
| Enterprise | T1189 | Drive-by Compromise | Bundlore has been spread through malicious advertisements on websites.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1098.004 | SSH Authorized Keys Sub-technique | Bundlore creates a new key pair with |
| Enterprise | T1059.006 | Python Sub-technique | Bundlore has used Python scripts to execute payloads.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1105 | Ingress Tool Transfer | Bundlore can download and execute new versions of itself.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | Bundlore can persist via a LaunchAgent.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1685 | Disable or Modify Tools | |
| Enterprise | T1027 | Obfuscated Files or Information | Bundlore has obfuscated data with base64, AES, RC4, and bz2.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1518 | Software Discovery | Bundlore has the ability to enumerate what browser is being used as well as version information for Safari.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | Bundlore prompts the user for their credentials.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Bundlore has attempted to get users to execute a malicious .app file that looks like a Flash Player update.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1543.004 | Launch Daemon Sub-technique | Bundlore can persist via a LaunchDaemon.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1176.001 | Browser Extensions Sub-technique | Bundlore can install malicious browser extensions that are used to hijack user searches.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1059.002 | AppleScript Sub-technique | Bundlore can use AppleScript to inject malicious JavaScript into a browser.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Bundlore can execute JavaScript by injecting it into the victim's browser.CitationMacKeeper Bundlore Apr 2019 |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | Bundlore changes the permissions of a payload using the command |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Bundlore uses HTTP requests for C2.CitationMacKeeper Bundlore Apr 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9ef6855cb354… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MacKeeper Bundlore Apr 2019
Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
Open source URL -
[2]
OSX.Bundlore
(Citation: MacKeeper Bundlore Apr 2019)
-
[3]
mitre-attack S0482Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.