New MosaicLoader Malware Attacks Software Pirates Through Ads

You are currently viewing New MosaicLoader Malware Attacks Software Pirates Through Ads

MosaicLoader Malware has launched onto the scene in an ongoing worldwide campaign, camouflaging as advertisements that mimic cracked software to infect software pirates’ systems. MosaicLoader Malware is a virus downloader designed by cybercriminals to deploy more second-stage payloads on infected systems. It has been analyzed at length by cybersecurity researchers at Bitdefender.

“We named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering,” Janos Gergo Szeles, Senior Security Researcher at Bitdefender, revealed.

Researchers found that MosaicLoader Malware hackers used the following tactics to hinder analysis efforts and to increase chances of the malware’s success:

  • Mimicking file information that is similar to legitimate software
  • Code obfuscation with small chunks and shuffled execution order
  • Payload delivery mechanism infecting the victim with several malware strains

According to researchers, the attack campaign doesn’t target a specific region, unlike many other similar campaigns. Due to its online advertising lures, it will attempt to infect any search engine users looking to download and install cracked software installers on their devices.

The hackers camouflage their droppers as executables belonging to legitimate software, and they use similar information and icons to pass a surface-level examination by the naked eye.

MosaicLoader Malware
Heat Map of MosaicLoader Infections from Bitdefender.

When MosaicLoader Malware is deployed on a machine, it will download additional viruses. These range from cryptocurrency miners and cookie stealers to Remote Access Trojans (RATs) and backdoors using “a complex chain of processes.”

Additionally, the cybercriminals behind MosaicLoader can harvest sensitive info such as credentials from compromised systems using RATs and similar malware with data theft capabilities.

This information is often used later to carry out identity theft, and can also be sold on the Dark Web.

“The best way to defend against MosaicLoader is to avoid downloading cracked software from any source,” Szeles concluded.

“Besides being against the law, cybercriminals look to target and exploit users searching for illegal software.”

MosaicLoader Malware Analysis


Note: This analysis was carried out by BitDefender.

Most of the initial MosaicLoader Malware downloaders researchers analyzed have icon and Version Info similar to legitimate applications. For example, in the screenshot below, we can see that dropper.exe mimics an NVIDIA process. MosaicLoader Malware also has a revoked digital signature unrelated to NVIDIA, indicating that it was either cryptographically insecure or abused by malware. Around half of the MosaicLoader Malware analyzed seemed to be Delphi executables, but Delphi disassemblers do not recognize them as valid files. Around their entry point, they contained native C/C++ code, structured similarly to the other half of the samples analyzed.

The MosaicLoader Malware samples share a common trait: they have one or two additional executable sections, named with a combination of random English words concatenated to 8 characters (the maximum limit in the PE format). In this section the entropy is very high, similar to packed data. However, the content is not packed, it contains code, and it is the result of the mosaic-like obfuscation, which we discuss later in this article.

The dropper downloads from the C2 server into the %TEMP% folder. The .zip file contains the two files required for the second stage, appsetup.exe, and prun.exe. Then, the dropper extracts these files to C:\Program Files (x86)\PublicGaming\ and launches several instances of Powershell to add exclusions from Windows Defender for the folder and the specific file names.

In the C2, the communication protocol contains only two commands: “download” and “command”. The first command, as its name suggests, saves the delivered payload to the disk. The destination of the file is the root of the %TMP% folder. The second command executes a specific payload by calling ShellExecuteW on it. The process runs in an infinite loop, periodically sending requests to the C2 server and receiving commands

The danger of this payload is that it can deliver any malware on the system. The sprayer’s objective is to download a list of malware from the infection sources controlled by the attackers and to execute them.

The response from integral[.]hacking101[.]net contains a list of URLs that host malware. Some have obscure domain names, specifically registered for hosting malware, while others are legitimate Discord URLs with files uploaded to a public channel.


SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply