MosaicRegressor

MosaicRegressor is a modular espionage malware framework associated with a rare real-world UEFI bootkit deployment. Kaspersky publicly reported it in 2020 as the second known in-the-wild malware case attacking UEFI firmware, after LoJax. In the observed infections, compromised UEFI firmware images on SPI flash were modified to include rogue components derived from Hacking Team’s leaked VectorEDK bootkit source code. The implant persisted outside the operating system and, on each boot, checked for and dropped a Windows payload, allowing reinfection even after OS reinstallation and even disk replacement unless the firmware itself was remediated.

The malicious firmware reportedly contained four rogue components: two DXE drivers and two UEFI applications. A DXE driver based on Hacking Team’s rkloader registered a callback for EFI_EVENT_GROUP_READY_TO_BOOT; an Ntfs driver enabled NTFS file operations from UEFI; a UEFI application named SmmReset marked infection by setting a UEFI variable named fTA to a hard-coded GUID; and the main component, SmmAccessSub, located the Windows installation by checking for \Windows\System32, used a marker file named setupinf.log, and wrote an embedded executable named IntelUpdate.exe into ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. Public descriptions also note that infected devices’ UEFI checked for a malicious file in the Windows Startup folder on reboot and reinstalled it if absent.

Beyond the firmware implant, MosaicRegressor is described as a multi-stage, modular espionage and data-gathering framework composed of downloaders and intermediate loaders. Reported downloader variants used multiple command-and-control mechanisms, including CURL over HTTP/HTTPS, BITS, WinHTTP, and email protocols such as POP3S, SMTPS, and IMAPS. An email-based variant, MailReg, used hard-coded mail.ru credentials and polled pop.mail.ru every 20 minutes. Reported mailboxes included thtgoolnc@mail.ru, thgetmmun@mail.ru, thbububugyhb85@mail.ru, and thyhujubnmtt67@mail.ru.

Kaspersky reported telemetry showing several dozen victims between 2017 and 2019, including diplomats and NGO personnel, with victims in Africa, Asia, and Europe. The content states that only two victims were confirmed with the UEFI bootkit in 2019, preceding deployment of a BitsReg component. Victimology indicated links to DPRK-related themes, including lure archives masquerading as North Korea-related documents.

The initial infection vector for the UEFI compromise was not determined. The reporting discusses possible physical access, USB-based flashing, use of a Q-flash utility present in the firmware image, or a compromised firmware update path, but provides no confirmed mechanism. Attribution in the cited content is low confidence: the actor is assessed as likely Chinese-speaking based on artifacts such as encoding and language indicators, with low-confidence infrastructure linkage to Winnti-related reporting.

MosaicRegressor is widely referenced as a UEFI bootkit/rootkit example alongside LoJax and MoonBounce, and public research notes that it used added DXE modules to maintain persistence across OS reinstalls and hardware replacement. Detection research cited in the content states that the Peacock framework can reliably detect MosaicRegressor among real-world UEFI bootkits.