{"id":42354,"date":"2021-06-22T00:00:00","date_gmt":"2021-06-22T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/f\/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html"},"modified":"2021-06-22T00:00:00","modified_gmt":"2021-06-22T00:00:00","slug":"nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/","title":{"rendered":"NukeSped Copies Fileless Code From Bundlore, Leaves It Unused Threats Analyst Threats Analyst"},"content":{"rendered":"

<\/p>\n

While investigating samples of NukeSped<\/a>, a remote access trojan (RAT), Trend Micro came across several Bundlore<\/a> adware samples using the same fileless routine that was spotted in NukeSped. The backdoor has been attributed to the cybercriminal group Lazarus, which has been active since at least 2014<\/a>. There are multiple variants<\/a> of NukeSped, which is designed to run on 32-bit systems and uses encrypted strings to evade detection. Recently, a more sophisticated form of this trojan called ThreatNeedle<\/a> surfaced as part of a cyberespionage campaign by Lazarus.  <\/p>\n

The encrypted Mach-O file discovered in these samples has upgraded Bundlore \u2014 a malware family that installs adware in a target\u2019s device under the guise of downloading legitimate applications \u2014 to a stealthier and memory-resident threat. Bundlore has also been known to target macOS devices and was linked to an attack on macOS Catalina users<\/a> last year.    <\/p>\n

Our analysis of the file Ants2WhaleHelper<\/i> used by Lazarus led us to detect it as NukeSped. Another file with NukeSped detection, unioncryptoupdater<\/i>, was also found in VirusTotal. Both contained a routine that looks to be based on a GitHub submission<\/a>. Curiously, however, neither of these files seems to make use of this routine.  <\/p>\n

Using Interactive Disassembler Pro (IDA Pro) on the Ants2WhaleHelper<\/i> file revealed its main payload as _mapBuffer<\/i> (Figure 1), which appears to be a modified version of the _memory_exec<\/i> function (Figure 2). This function looks like it was based on code from the GitHub post; however, there were no references that point to the _memory_exec<\/i> function.<\/p>\n


Figure 1. The _mapBuffer<\/i> function <\/p>\n


Figure 2. The _memory_exec<\/i> function copied from the GitHub post <\/p>\n

Moreover, the payload has a _resolve_symbol<\/i> function that does not seem to be used. It also does not appear to be necessary, as evidenced in Figure 3. NukeSped typically retrieves and launches its payload from a web server, so it does not need the superfulous _resolve_symbol <\/i>function, which locates data internally. As Figure 4 shows, searching for the operation codes of this function on VirusTotal led to its detection in 201 files. The results yielded only two NukeSped samples while the rest were Bundlore samples.  <\/p>\n


Figure 3. The _resolve_symbol<\/i> functions of NukeSped (left) vs. Bundlore (right) <\/p>\n


Figure 4. The searched operation codes <\/p>\n

Similarly, a search using VirusTotal’s Retrohunt yielded 273 results; most of these were Bundlore files and only three were Nukesped files. However, one of these Nukesped samples was verified as the parent of a Nukesped file from the previous search. Among the Bundlore samples discovered, the oldest one dates back to May of last year. Further investigation of these Bundlore samples from the VirusTotal query revealed that these were indeed using fileless routines, enabling Bundlore to execute a payload directly from memory.  <\/p>\n

Bundlore\u2019s fileless routine<\/span><\/p>\n

Our study of the Bundlore samples showed that these utilize the same functions that were found unused in the NukeSped samples. As seen in Figure 5, these were obfuscated, as they were under random names when disassembled in IDA Pro. While the functions have some differences, the routine for in-memory file execution remains the same (Figure 6 and 8).  <\/p>\n


Figure 5. The obfuscated functions <\/p>\n


Figure 6. The disassembly of NukeSped (left column) vs. Bundlore (right column) samples <\/p>\n

The main routines of one of the Bundlore samples (sha256:0a3a5854d1ae3f5712774a4eebd819f9e4e3946f36488b4e342f2dd32c8e5db2) are as follows: <\/p>\n

    \n
  1. Decrypt the __DATA.__data<\/i> section to reveal the embedded Mach-O file, as shown in Figure 7. The decryption uses an XOR key that is incremented per cycle: for example, a 0xDD increment by 0x2A, 0xDD, 0x00, 0x2A, 0x54, 0x7E, 0xA8, 0xD2, 0xFC, 0x00, and so on.<\/li>\n

     
    Figure 7. The decryption routine of the __DATA.__data<\/i> section <\/p>\n

  2. Invoke a function called NSCreateObjectFileImageFromMemory<\/i> to create an adware image from the Mach-O file in memory. Afterward, NSLinkModule<\/i> is called to link the malicious image to the main executable’s image library. The Mach-O file format is changed from an executable (0x02) to a bundle (0x08) before it can call NSCreateObjectFileImageFromMemory<\/i>, as was shown in Figure 6.  <\/li>\n

    <\/p>\n

  3. Parse the Mach-O file’s header structure in memory for value(LC_MAIN)<\/i>, a load command that has the value 0x80000028. This command contains data such as the offset of the Mach-O file’s entry point (Figure 8). Afterward, the adware retrieves the offset and goes to the entry point. <\/li>\n<\/ol>\n


    Figure 8. Finding the entry point of the malicious image in NukeSped (left column) vs. Bundlore (right column) <\/p>\n

    Bundlore\u2019s Mach-O file runs in memory<\/span><\/p>\n

    The decryption keys and increment values differ across the Bundlore samples. To gain a better understanding of the embedded file, we created a Python script to decrypt and extract their embedded Mach-O files. By doing so, we were able to observe one such decrypted Mach-O file (sha256: a7b6639d9fcdb13ae5444818e1c35fba4ffed90d9f33849d3e6f9b3ba8443bea) with the routines shown in Figure 9. It connects to a target URL (13636337101185210173363631[.]cloudfront[.]net\/?cc-00&), but the address varies among the samples. An app bundle called Player.app<\/i>, which poses as Flash Player, <\/i>is then downloaded and extracted into a \/tmp directory. The chmod 777<\/i> command is used on the extracted app bundle, after which the fake application is launched. While it performs these routines, Bundlore displays a fraudulent error message (Figure 10). Upon completion, it goes dormant by calling the sleep function and looping it repeatedly. <\/p>\n

    There were no significant differences seen when running the Bundlore samples in macOS Big Sur and macOS Catalina. However, our researchers found that with the default settings of macOS, in which the System Integrity Protection (SIP) and Gatekeeper security features are enabled, the Bundlore samples are blocked and are unable to run. This was observed in both macOS Catalina and macOS Big Sur environments; similarly, the Bundlore samples were also blocked and unable to run under the default settings of macOS Monterey, Apple’s recently released operating system.<\/p>\n


    Figure 9. The decrypted Mach-O file\u2019s main routines <\/p>\n


    Figure 10. The fake error message displayed by Player.app<\/i><\/p>\n

    Trend Micro Solutions<\/span><\/p>\n

    Continuous vigilance against threat groups is an important aspect of keeping up with \u2014 if not staying one step ahead of \u2014 threats. To protect systems from this type of threat, users can use multilayered security solutions like Trend Micro Antivirus for Mac<\/a> and Trend Micro Protection Suites<\/a> that help detect and block attacks. Trend Micro Vision One\u2122\ufe0f<\/a> also provides visibility, correlated detection, and behavior monitoring across multiple layers, such as emails, endpoints, servers, and cloud workloads. This ensures that no significant incidents go unnoticed and allows faster response to threats before they can do any real damage to the system. <\/p>\n

    MITRE Tactics, Techniques, and Procedures (TTPs) of Bundlore<\/span><\/p>\n\n\n\n\n\n\n
    Initial Access<\/th>\nExecution<\/th>\nPrivilege Escalation<\/th>\nDefense Evasion<\/th>\nCommand and Control (C&C)<\/th>\n<\/tr>\n
    Drive-by compromise<\/td>\nUser execution<\/td>\nProcess injection<\/td>\nDeobfuscate\/Decode files or information<\/td>\nWeb service<\/td>\n<\/tr>\n
     <\/td>\n <\/td>\n <\/td>\nMasquerading<\/td>\n <\/td>\n<\/tr>\n
     <\/td>\n <\/td>\n <\/td>\nProcess injection <\/td>\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Indicators of Compromise (IOCs)<\/span><\/p>\n\n\n\n\n\n\n\n
    sha256<\/th>\nFile<\/th>\nDetection<\/th>\n<\/tr>\n
    bb430087484c1f4587c54efc75681eb60cf70956ef2a999a75ce7b563b8bd694<\/td>\nAnts2WhaleHelper<\/td>\nTrojan.MacOS.Agent.PFH<\/td>\n<\/tr>\n
    631ac269925bb72b5ad8f469062309541e1edfec5610a21eecded75a35e65680<\/td>\nunioncryptoupdater<\/td>\nTrojan.MacOS.LAZARUS.A<\/td>\n<\/tr>\n
    0a3a5854d1ae3f5712774a4eebd819f9e4e3946f36488b4e342f2dd32c8e5db2<\/td>\nsmokehouses<\/td>\nAdware.MacOS.BUNDLORE.RSMSGGK20<\/td>\n<\/tr>\n
    a7b6639d9fcdb13ae5444818e1c35fba4ffed90d9f33849d3e6f9b3ba8443bea<\/td>\nEmbedded Mach-O<\/td>\nAdware.MacOS.BUNDLORE.MANP<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Read More HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    While investigating samples of NukeSped, a remote access trojan (RAT), Trend Micro came across several Bundlore adware samples using the same fileless routine that was spotted in NukeSped. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":42355,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9513,9509],"class_list":["post-42354","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\nNukeSped Copies Fileless Code From Bundlore, Leaves It Unused Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"NukeSped Copies Fileless Code From Bundlore, Leaves It Unused Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-22T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst.png\" \/>\n\t<meta property=\"og:image:width\" content=\"985\" \/>\n\t<meta property=\"og:image:height\" content=\"367\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"NukeSped Copies Fileless Code From Bundlore, Leaves It Unused Threats Analyst Threats Analyst\",\"datePublished\":\"2021-06-22T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/\"},\"wordCount\":1609,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/\",\"name\":\"NukeSped Copies Fileless Code From Bundlore, Leaves It Unused Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst.png\",\"datePublished\":\"2021-06-22T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst.png\",\"width\":985,\"height\":367},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"NukeSped Copies Fileless Code From Bundlore, Leaves It Unused Threats Analyst Threats Analyst\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"NukeSped Copies Fileless Code From Bundlore, Leaves It Unused Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/","og_locale":"en_US","og_type":"article","og_title":"NukeSped Copies Fileless Code From Bundlore, Leaves It Unused Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-06-22T00:00:00+00:00","og_image":[{"width":985,"height":367,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"NukeSped Copies Fileless Code From Bundlore, Leaves It Unused Threats Analyst Threats Analyst","datePublished":"2021-06-22T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/"},"wordCount":1609,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/","url":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/","name":"NukeSped Copies Fileless Code From Bundlore, Leaves It Unused Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst.png","datePublished":"2021-06-22T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst.png","width":985,"height":367},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/nukesped-copies-fileless-code-from-bundlore-leaves-it-unused-threats-analyst-threats-analyst\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"NukeSped Copies Fileless Code From Bundlore, Leaves It Unused Threats Analyst Threats Analyst"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42354","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=42354"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42354\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/42355"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=42354"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=42354"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=42354"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}