• First known sample

  • Discovery

  • Number of targets

  • Current status

  • Type

    Multi-stage modular framework
  • Targeted platforms

  • TOP targeted countries

    Central Asia , Europe , Africa

More about the MosaicRegressor framework, its targets and capabilities

Learn more
  • The way of propagation

    Spear-phishing emails , USB drives
  • Purpose/Functions

    Cyberespionage , Data theft
  • Special features

    MosaicRegressor is the first publicly known case where a threat actor used a custom made, malicious UEFI firmware in the wild. This means that, no matter how many times the operating system is reinstalled, the malware stays on the device. In addition, the malware’s malicious activity is potentially invisible to security solutions.

  • Targets

    Diplomatic organizations/embassies , NGOs
  • Description

    This multi-stage modular framework has been used to conduct espionage and data gathering campaigns against diplomats and members of an NGO from Africa, Asia and Europe—all of which have ties with North Korea—by an unknown threat actor. In some instances, it uses a very rarely seen type of malware known as a firmware bootkit as a persistence method. By infecting the Unified Extensible Firmware Interface (UEFI) of the computer—an essential part of the device—once installed, the malware remains on the device regardless of how many times the operating system has been reinstalled.

    Additional information