MosaicRegressor is the first publicly known case where a threat actor used a custom made, malicious UEFI firmware in the wild. This means that, no matter how many times the operating system is reinstalled, the malware stays on the device. In addition, the malware’s malicious activity is potentially invisible to security solutions.
This multi-stage modular framework has been used to conduct espionage and data gathering campaigns against diplomats and members of an NGO from Africa, Asia and Europe—all of which have ties with North Korea—by an unknown threat actor. In some instances, it uses a very rarely seen type of malware known as a firmware bootkit as a persistence method. By infecting the Unified Extensible Firmware Interface (UEFI) of the computer—an essential part of the device—once installed, the malware remains on the device regardless of how many times the operating system has been reinstalled.