VERY IMPORTANT

While investigating samples of NukeSped, a remote access trojan (RAT), Trend Micro came across several Bundlore adware samples using the same fileless routine that was spotted in NukeSped. The backdoor has been attributed to the cybercriminal group Lazarus, which has been active since at least 2014. There are multiple variants of NukeSped, which is designed to run on 32-bit systems and uses encrypted strings to evade detection. Recently, a more sophisticated form of this trojan called ThreatNeedle surfaced as part of a cyberespionage campaign by Lazarus.