Bundlore is a pup targeting macOS, first discovered in 2015. Bundlore is a macOS adware bundler that packages potentially unwanted programs with legitimate-looking software installers. It has been one of the most common macOS PUP families since 2015, responsible for installing browser toolbars, search hijackers, and ad-injection extensions through deceptive installation wizards. CoreLock detects this threat using CoreLock detects Bundlore through behavioral analysis of installer bundle patterns that deploy multiple applications simultaneously, YARA signatures matching known Bundlore wrapper binaries, browser monitoring for unauthorized extension installations, and analysis of installer scripts that modify browser settings.
Also known as: OSX.Bundlore, Bundlore Adware, SurfBuyer
Bundlore is a macOS adware bundler that packages potentially unwanted programs with legitimate-looking software installers. It has been one of the most common macOS PUP families since 2015, responsible for installing browser toolbars, search hijackers, and ad-injection extensions through deceptive installation wizards.
Custom installer wizards that bundle adware with free software
Fake software download portals mimicking legitimate sites
Download wrapper sites that add Bundlore to legitimate software
Misleading 'recommended' installation options pre-checked during setup
New browser toolbar or extension installed after a software download
Default search engine changed to an unfamiliar provider
Custom installer (not standard macOS PKG) used for recent software
Multiple unwanted applications installed alongside the intended one
Check /Applications for any programs you did not intentionally install. Bundlore installs multiple PUPs, so look for several unfamiliar apps added around the same time.
Check Safari, Chrome, and Firefox for toolbars, extensions, or search plugins you did not add. Remove all unfamiliar ones.
Reset your homepage, default search engine, and new tab page in all browsers. Bundlore often changes all three to monetize your browsing.
Check ~/Library/LaunchAgents for plist files related to the bundled software. Remove any created around the same time as the unwanted installations.
Run a CoreLock scan to identify all Bundlore components, bundled PUPs, and browser modifications that need to be cleaned up.
Always choose Custom or Advanced installation options to deselect bundled software
Download software directly from developer websites, not wrapper/download sites
Read each installer screen carefully — look for pre-checked opt-in boxes
Use CoreLock to detect PUP bundlers before they install additional software
Real-time Detection
CoreLock detects Bundlore through behavioral analysis of installer bundle patterns that deploy multiple applications simultaneously, YARA signatures matching known Bundlore wrapper binaries, browser monitoring for unauthorized extension installations, and analysis of installer scripts that modify browser settings.
Bundlore is a macOS adware bundler that wraps legitimate software in custom installers containing additional unwanted programs. During installation, it uses confusing UI patterns to trick users into installing browser toolbars, search hijackers, and ad-injection software.
Bundlore is classified as a Potentially Unwanted Program (PUP) rather than a virus. It does not self-replicate, but it installs unwanted software through deceptive practices. While less severe than malware, it degrades your browsing experience and can compromise privacy.
Always choose Custom or Advanced installation options when installing software and deselect any bundled offers. Download software directly from official developer sites rather than third-party download portals. CoreLock can detect Bundlore installers before they deploy their payloads.
Download CoreLock to detect and remove Bundlore and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows