Home/Threat Actor/MosaicRegressor
Threat Actor

MosaicRegressor

mosaicregressor · china_apt_speculation_low_confidence · active since 2017

MosaicRegressor (canonical Kaspersky framework + bootkit naming per Kaspersky GReAT October 5-7, 2020 Securelist canonical disclosure by Mark Lechtik + Igor Kuznetsov + Yury Parshin) is a multi-stage modular cyber-espionage framework with custom UEFI bootkit capability, operationally significant as the first publicly-known custom-built UEFI bootkit in the wild per Kaspersky canonical 2020 attribution (per Mark Lechtik: "Although UEFI attacks present wide opportunities to the threat actors, MosaicRegressor is the first publicly known case where a threat actor used a custom made, malicious UEFI firmware in the wild. Previously known attacks observed in the wild simply repurposed legitimate software (for instance, LoJax), making this the first in the wild attack leveraging a custom made UEFI bootkit")

active 2017-2019 per Kaspersky telemetry analysis with several dozen documented victims (diplomats + NGO members from Africa + Asia + Europe), all with some ties to North Korea, operationally consistent with intelligence- collection mission objectives focused on North Korea- related diplomatic and humanitarian activity targeting; attribution to Chinese-speaking actor with low confidence Winnti/APT41 umbrella connection per Kaspersky based on single C&C infrastructure overlap (103.82.52[.]18) with publicly-reported Winnti umbrella activity and Chinese/Korean code page character sequence indicators (0xA3, 0xBA - FULL-WIDTH COLON per CP936/ CP949), mixed Kaspersky attribution stance (press release stated campaign not linked with confidence to known APT actors while Securelist blog refined to Chinese-speaking actor with possible Winnti connections); signature Hacking Team VectorEDK 2015 leak source-code derivative provenance (rogue UEFI firmware images modified using leaked Hacking Team VectorEDK source code following July 2015 Hacking Team breach.

operationally significant example of leaked-offensive-capability- repurposing pattern)

DXE driver addition approach to UEFI modification (operationally distinct from sibling MoonBounce existing-firmware-component modification approach per industry comparative analysis)

multi-stage modular MosaicRegressor framework architecture (downloaders + intermediate loaders + components fetched on demand to conceal wider framework from analysis + BitsRegEx Kaspersky-named variant)

UEFI bootkit + spear-phishing dual infection vectors (UEFI bootkit observed in only minority of MosaicRegressor framework victims, operationally cluster-defining capability deployed only against highest-priority targets.

spear- phishing emails written in Russian for majority of infections per Kaspersky)

signature IntelUpdate.exe system startup folder dropper persistence mechanism (bootkit places IntelUpdate.exe in system startup folder which downloads and installs MosaicRegressor components; per Kaspersky: "The only way to fix the problem is by reflashing the motherboard")

multi-channel C2 capability (cURL HTTP/HTTPS + BITS interface + WinHTTP + public mail services, operationally designed so blocking one route would not stop framework)

Hacking Team-suggested USB- drive physical-access deployment vector (per leaked Hacking Team manual, attackers presumably needed physical access via USB drive)

Kaspersky Firmware Scanner technology integrated into Kaspersky products since beginning of 2019 operationally enabled subsequent MosaicRegressor discovery.

fills the 2nd UEFI/firmware bootkit cell in the curated corpus following CosmicStrand (1st), operationally preceding sibling MoonBounce + BlackLotus clusters, operationally significant as the canonical "first publicly-known custom UEFI bootkit in the wild" industry baseline reference point cited in subsequent MoonBounce (Kaspersky January 2022) + CosmicStrand (Kaspersky July 2022) + BlackLotus (ESET March 2023) + NSA BlackLotus mitigation guidance (June 2023) disclosures as comparative chronological reference.

china_apt_speculation_low_confidence confidence: high 14 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

Profile

MosaicRegressor (canonical Kaspersky framework naming + bootkit naming per October 2020 Securelist canonical disclosure by Mark Lechtik + Igor Kuznetsov + Yury Parshin) is a multi-stage modular cyber-espionage framework with custom UEFI bootkit capability, operationally significant as the first publicly-known custom-built UEFI bootkit in the wild per Kaspersky canonical 2020 attribution, predating sibling UEFI/ firmware clusters MoonBounce (January 2022) + CosmicStrand (July 2022) + BlackLotus (March 2023) in operational chronology. Active 2017-2019 per Kaspersky telemetry analysis with several dozen documented victims, all with some ties to North Korea, operationally consistent with intelligence- collection mission objectives focused on North Korea- related diplomatic and humanitarian activity targeting. Attribution: Chinese-speaking actor with low confidence Winnti/APT41 umbrella connection per single C&C infrastructure overlap (103.82.52[.

]18) and Chinese/ Korean code page character sequence indicators (0xA3, 0xBA
  • FULL-WIDTH COLON per CP936/CP949). Kaspersky attribution stance was mixed, press release stated campaign not linked with confidence to known APT actors, while Securelist blog refined to Chinese-speaking actor with possible Winnti connections. Operational phases: (1) VECTOREDK HACKING TEAM LEAK BASIS (July 2015). Hacking Team breach leaks VectorEDK bootkit source code online, operationally significant predecessor providing foundation for MosaicRegressor custom UEFI bootkit. (2) EARLIEST DOCUMENTED ACTIVITY (2017). MosaicRegressor framework activity earliest documented. (3) KASPERSKY FIRMWARE SCANNER DEPLOYMENT (2019). Kaspersky Firmware Scanner technology integrated into products, enabled subsequent MosaicRegressor discovery. (4) KASPERSKY CANONICAL DISCLOSURE (October 5-7, 2020). MosaicRegressor + UEFI bootkit + Hacking Team VectorEDK derivative provenance disclosed. (5) CONTINUED INDUSTRY REFERENCE STATUS (2020-2026). Cited as canonical baseline reference in subsequent MoonBounce + CosmicStrand + BlackLotus disclosures.
Signature operational tradecraft
  • First publicly-known custom-built UEFI bootkit in the wild (cluster-defining): per Mark Lechtik canonical statement, operationally distinct from LoJax (ESET 2018) which repurposed legitimate LoJack anti- theft software.
  • Hacking Team VectorEDK 2015 leak source-code derivative (signature): rogue UEFI firmware images modified using leaked Hacking Team VectorEDK source code. Operationally significant example of leaked- offensive-capability-repurposing pattern.
  • DXE driver addition approach (signature): operationally distinct from MoonBounce existing-firmware- component modification approach per industry comparative analysis.
  • Multi-stage modular MosaicRegressor framework architecture: per Kaspersky, multi-stage modular framework consisting of downloaders + intermediate loaders + components fetched on demand to conceal wider framework from analysis.
  • UEFI bootkit + spear-phishing dual infection vectors: UEFI bootkit observed in only minority of MosaicRegressor framework victims, operationally cluster-defining capability deployed only against highest-priority targets. Spear-phishing emails written in Russian for majority of infections.
  • IntelUpdate.exe dropper persistence mechanism (signature): bootkit places IntelUpdate.exe in system startup folder. Executable downloads and installs MosaicRegressor components. Per Kaspersky: "The only way to fix the problem is by reflashing the motherboard.".
  • Multi-channel C2 capability (signature): cURL library (HTTP/HTTPS) + Background Intelligent Transfer Service (BITS) interface + WinHTTP programming interface + public mail services, operationally designed so blocking one route would not stop the framework.
  • Hacking Team-suggested USB-drive physical-access deployment vector: per leaked Hacking Team manual, attackers presumably needed physical access and used USB drive to infect machines, though other UEFI compromise methods cannot be ruled out.
  • Documented victim list (signature): diplomats + members of NGOs from Africa + Asia + Europe, all with some ties to North Korea. Several dozen victims over 2017-2019.
  • Russian-language spear-phishing tradecraft (signature): spear-phishing emails written in Russian operationally suggests language-tradecraft adapted to Russian-speaking diplomatic targets. The cluster fills the 2nd UEFI/firmware bootkit cell in this curated corpus following cosmicstrand_uefi (1st) and operationally preceding sibling MoonBounce + BlackLotus clusters. Operationally significant as the canonical "first custom UEFI bootkit in the wild" industry baseline reference point.

Aliases

14
mosaicregressormosaic_regressormosaic regressormosaicregressor_uefi_bootkitvectoredk_derivative_uefi_bootkithacking team vectoredk customizedbitsregexbits_regexbitsregex variantintelupdateintelupdate.exemosaicregressor uefimosaicregressor frameworkchinese speaking actor uefi 2020

Notable Campaigns

7
2020-2026Continued Industry Reference Status (2020-2026)
2020MosaicRegressor Kaspersky Canonical Disclosure (October 5-7, 2020)
2020Chinese-Speaking Actor Low-Confidence Attribution
2020Canonical Status: First Custom UEFI Bootkit in the Wild
2019Kaspersky Firmware Scanner Capability Deployment (2019)
2017MosaicRegressor Earliest Documented Activity (2017)
2015VectorEDK Hacking Team Leak Source-Code Basis (2015 Leak)

Attribution & Reporting

Attributed by
Kaspersky GReAT (canonical October 2020 disclosure, Mark Lechtik + Igor Kuznetsov + Yury Parshin)Firmware Scanner Kaspersky technology (since beginning of 2019, initial detection capability)Eclypsium (UEFI security industry analysis)Mandiant / Google Threat Intelligence Group (UEFI offensive cyber capability industry context)Microsoft Threat Intelligence CenterSymantec / Broadcom Threat Hunter TeamSergey Lozhkin (Kaspersky researcher, adjacent UEFI bootkit industry analysis)Hacking Team (Italian surveillance vendor, source code provenance, VectorEDK 2015 leak)The Hacker News (October 2020 coverage)Dark Reading (industry analysis)Enterprise Times (October 2020 coverage)
Key reporting
reportKaspersky GReAT (Mark Lechtik + Igor Kuznetsov + Yury Parshin): MosaicRegressor, Lurking in the Shadows of UEFI (Securelist, October 5, 2020), canonical MosaicRegressor disclosure
reportKaspersky: Malware delivery through UEFI bootkit with MosaicRegressor (Kaspersky.com blog, October 7, 2020), companion analyst-facing disclosure
reportThe Hacker News (Ravie Lakshmanan): New 'MosaicRegressor' UEFI Bootkit Malware Found Active in the Wild (October 5, 2020)
reportEnterprise Times (Ian Murphy): Kaspersky spots customised UEFI firmware bootkit (October 7, 2020)
reportDark Reading: Researchers Discover Dangerous Firmware-Level Rootkit (industry analysis)
reportEclypsium: UEFI bootkit industry analysis (post-MosaicRegressor disclosure)
reportMandiant / Google Threat Intelligence Group: UEFI offensive cyber capability industry context
reportMicrosoft Threat Intelligence Center: UEFI bootkit detection guidance
reportSymantec / Broadcom Threat Hunter Team: MosaicRegressor adjacent tracking
reportMITRE ATT&CK Software S0489: MosaicRegressor
reportMalpedia Software Profile: MosaicRegressor

Operational

State sponsor

Chinese-speaking actor attributed with low confidence by Kaspersky GReAT October 2020 canonical disclosure based on single C2 infrastructure overlap with publicly- reported "Winnti umbrella and linked groups", specific C&C address 103.82.52[.]18 found in MosaicRegressor variant (MD5 3B58E122D9E17121416B146DAAB4DB9D) had been observed in use by Winnti umbrella per publicly-available report. Per Kaspersky GReAT: "Since this is the only link between our findings and any of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible for the attacks." Operationally significant attribution caveats: (1) Mixed Kaspersky attribution stance: per Enterprise Times analysis: "Kaspersky is giving mixed messages as to who the attackers are. In its press release, it states: 'The campaign has not been linked with confidence to any known advanced persistent threat actors.' However, in the blog on Securelist, it refined its position.

While still avoiding openly pointing at a specific APT, the blog states: 'Code artefacts in some of the framework's components and overlaps in C&C infrastructure used during the campaign suggest that a Chinese-speaking actor is behind these attacks, possibly having connections to groups using the Winnti backdoor.'" (2) Chinese-speaking actor indicators: Kaspersky identified strings used in system information log generated by BitsRegEx variant containing character sequence '0xA3, 0xBA', invalid sequence for UTF8 string, LATIN1 encoding translates to "£º" (pound sign + masculine ordinal indicator). Iconv symbol table iteration attempts to convert sequence to UTF-8 produced candidates with best match as "FULL-WIDTH COLON" Unicode character translated from either Chinese code page (CP936) or Korean code page (CP949), operationally suggesting Chinese-speaking or Korean-speaking developer. (3) Winnti backdoor toolset overlap (low confidence): operational overlap with broadly-tracked Winnti umbrella (which includes APT41 / Barium / Bronze Atlas / Wicked Panda / Brass Typhoon nation-state cluster + adjacent Chinese-speaking criminal-cluster groups using Winnti backdoor codebase).

Operationally distinct attribution profile from sibling UEFI/firmware cluster MoonBounce which received considerable-confidence APT41 attribution from Kaspersky GReAT January 2022, and from sibling CosmicStrand which Kaspersky GReAT attributed to broader Winnti umbrella. Operational characteristics + technical sophistication attribution at moderate-to-high confidence per multiple convergent sources: (a) Kaspersky GReAT canonical October 2020 disclosure: Kaspersky researchers Mark Lechtik + Igor Kuznetsov + Yury Parshin published canonical comprehensive analysis on Securelist October 5-7, 2020. Per Mark Lechtik: "Although UEFI attacks present wide opportunities to the threat actors, MosaicRegressor is the first publicly known case where a threat actor used a custom made, malicious UEFI firmware in the wild.

Previously known attacks observed in the wild simply repurposed legitimate software (for instance, LoJax), making this the first in the wild attack leveraging a custom made UEFI bootkit." (b) Hacking Team VectorEDK source-code derivative provenance (signature): rogue UEFI firmware images modified using source code of VectorEDK, Hacking Team bootkit leaked online in 2015 following the Hacking Team breach. While Hacking Team's original VectorEDK was used to write Hacking Team backdoors to disk (known as 'Soldier' / 'Scout' / 'Elite'), MosaicRegressor variant deployed a new piece of malware not previously seen. (c) Multi-stage modular MosaicRegressor framework architecture: per Kaspersky: "MosaicRegressor is a multi-stage and modular framework aimed at espionage and data gathering.

It consists of downloaders, and occasionally multiple intermediate loaders, that are intended to fetch and execute payload on victim machines. The fact that the framework consists of multiple modules assists the attackers to conceal the wider framework from analysis, and deploy components to target machines only on demand." (d) UEFI bootkit + spear-phishing dual infection vectors: per Kaspersky: "the malware entered victims' computers through modified UEFIs, an extremely rare occurrence in the wild. However, in most cases, the attackers used spear-phishing, a more traditional method." Some spear-phishing emails were written in Russian per Kaspersky analysis, operationally aligned with targeting of Russian-speaking diplomats.

UEFI bootkit observed in only minority of MosaicRegressor framework victims, operationally cluster-defining capability deployed only against highest-priority targets. (e) Hacking Team-suggested deployment vector: per Kaspersky: "Although the exact infection vector employed to overwrite the original firmware remains unknown at this stage, a leaked manual suggests the malware may have been deployed through physical access to the victim's machine. Based on data from the HackingTeam leak, the attackers presumably needed physical access and used a USB drive to infect the machines.

However, other methods of UEFI compromise cannot be ruled out." (f) IntelUpdate.exe dropper persistence mechanism: per Kaspersky: "When the system starts, the bootkit places the malicious file IntelUpdate.exe in the system startup folder. The executable downloads and installs another MosaicRegressor components on the computer. Given the relative insularity of UEFI, even if this malicious file is detected, it is almost impossible to remove.

Neither deleting it nor reinstalling the operating system helps. The only way to fix the problem is by reflashing the motherboard." Documented MosaicRegressor framework targets per Kaspersky telemetry analysis: several dozen victims between 2017 and 2019, all of whom had some ties to North Korea. Targets included diplomats + members of NGOs from Africa + Asia + Europe, operationally consistent with intelligence-collection mission objectives focused on North Korea-related diplomatic and humanitarian activity.

Operational classification: nation-state-level APT campaign with first-publicly-known custom UEFI bootkit capability, operationally significant as the first custom-built UEFI bootkit in the wild, predating MoonBounce 2022 + BlackLotus 2023 + CosmicStrand 2022 in operational chronology of UEFI bootkit publicly- tracked development. Operationally distinct from MoonBounce (existing-firmware-component modification) and BlackLotus (commercial $5K dark-web sale) through DXE-driver-addition approach + nation-state operational use pattern. The cluster fills the 2nd UEFI/firmware bootkit cell in this curated corpus following cosmicstrand_uefi (1st) and operationally preceding moonbounce + blacklotus sibling cells.

Operationally significant as the canonical "first publicly-known custom UEFI bootkit in the wild" baseline reference point for UEFI/firmware offensive cyber capability evolution.

Motivations
sophisticated_state_actor_offensive_cyber_capability_for_intelligence_collection, first_publicly_known_custom_uefi_bootkit_capability_demonstration, diplomats_ngo_members_targeting_with_north_korea_ties_intelligence_collection, africa_asia_europe_diplomatic_targeting, hacking_team_vectoredk_leaked_source_code_offensive_capability_repurposing, persistent_firmware_level_implant_for_long_term_espionage, winnti_umbrella_chinese_speaking_actor_capability_provision, modular_framework_architecture_for_concealment_from_analysis
Sectors
diplomatsforeign_ministry_officialsngo_membersnon_governmental_organizationshumanitarian_organizationsgovernment_officialsintelligence_services_officialsnorth_korea_related_personnelcivil_society_organizations
Regions
africaasiaeuroperussianorth_korea

Techniques Used

60
T1003T1005T1010T1014T1016T1020T1027T1027.005T1029T1033T1036T1036.005T1039T1041T1053T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1070T1070.004T1071T1071.001T1071.003T1071.004T1074T1078T1082T1083T1087T1090T1090.001T1095T1102T1106T1113T1114T1114.001T1119T1129T1133T1140T1190T1200T1203T1204T1204.002T1213T1218T1497T1542T1542.001T1542.003T1543T1543.003

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)25/60 · 41%
Runtime / container (Falco)8/60 · 13%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MOSAICREGRESSOR DOWNLOADERSMOSAICREGRESSOR INTERMEDIATE LOADERSMOSAICREGRESSOR MULTI STAGE MODULAR FRAMEWORKMOSAICREGRESSOR UEFI BOOTKITSPI FLASH MODIFIED FIRMWARE IMAGES
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin