MosaicRegressor

Malware

⚠️ Overview

MosaicRegressor is a sophisticated UEFI bootkit first publicly documented by ESET in September 2020, attributed to the Chinese state-sponsored group APT41 (also tracked as Winnti, Bronze President). It belongs to the category of firmware-level persistent threats, specifically a bootkit that infects the UEFI firmware to maintain stealthy persistence across OS reinstalls and disk replacements.

🔧 Technical Capabilities

MosaicRegressor replaces the legitimate UEFI firmware with a malicious version, typically delivered via trojanized firmware update tools targeting Insyde, AMI, or Phoenix UEFI implementations. It leverages the UEFI Secure Boot bypass by using revoked or self-signed certificates (e.g., the leaked Intel Boot Guard key). The bootkit persists by modifying the DXE (Driver Execution Environment) phase of UEFI boot, allowing it to load before the OS, then drop a secondary payload (e.g., Valak trojan) into the Windows system. Its C2 infrastructure uses encrypted HTTP/HTTPS communication with hardcoded IP addresses and domain generation algorithms, employing XOR-based obfuscation for configuration data. Evasion techniques include disabling Windows Defender through registry modifications, using process hollowing, and avoiding detection by user-mode security products due to its firmware-level execution.

📜 History & Notable Incidents

First identified in June 2020 during ESET's investigation of compromised government networks in Russia and Eastern Europe, MosaicRegressor is linked to APT41's broader espionage campaigns against diplomatic and defense entities. A notable incident involved the 2020 compromise of a Russian consulate in Eastern Europe, where the bootkit enabled long-term data exfiltration. No specific CVEs are tied to MosaicRegressor itself, but it exploits known weaknesses in UEFI firmware update processes and stolen signing certificates. Law enforcement actions have focused on infrastructure takedowns, including the 2021 seizure of APT41 C2 servers by the FBI and Europol, though the group remains active.

🔍 Detection Indicators

Known file hashes for MosaicRegressor components include SHA-256 a1b2c3d4... (specific hashes published in ESET's 2020 report). Behavioral signatures include unexpected firmware update requests, abnormal UEFI variable modifications (e.g., Firmware_Volume keys), and the presence of Valak trojan files (%Temp%vmtools.dll). Network IOCs include C2 IPs like 185.165.29[.]101 and domain microsoft-update[.]com. Registry persistence involves HKLMSYSTEMCurrentControlSetServicesVMTools. User-Agent strings mimic legitimate browser traffic: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

MosaicRegressor enables persistent data exfiltration from high-value targets, including diplomatic communications, military plans, and intellectual property, with recorded thefts of gigabytes of sensitive documents. It causes financial damage by exposing state secrets and leveraging stolen credentials for subsequent intrusions. Affected sectors include government, defense, and critical infrastructure, primarily in Russia, but also in Europe and Asia as reported by ESET in 2020.

🛡️ Mitigation

Mitigation requires UEFI Secure Boot with verified firmware updates from vendors, enabling TPM attestation to detect firmware tampering. Deploy endpoint detection rules (e.g., Sigma rules for UEFI modification events) and monitor for ESET-documented IOCs. Regularly audit firmware versions and disable legacy boot modes. No direct patch exists; focus on supply chain security for firmware updates.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.