{ "id": "188d0f7b-7abc-405b-8045-cdd60756b173", "created_at": "2026-04-06T00:21:55.733157Z", "updated_at": "2026-04-10T03:37:49.598374Z", "deleted_at": null, "sha1_hash": "c1275e2ee3dc2ebdc22778803ae7e1bbd6a0b545", "title": "MosaicRegressor: Lurking in the Shadows of UEFI", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 794142, "plain_text": "MosaicRegressor: Lurking in the Shadows of UEFI\r\nBy Mark Lechtik\r\nPublished: 2020-10-05 · Archived: 2026-04-05 20:54:42 UTC\r\n Part II. Technical details (PDF)\r\nUEFI (or Unified Extensible Firmware Interface) has become a prominent technology that is embedded within\r\ndesignated chips on modern day computer systems. Replacing the legacy BIOS, it is typically used to facilitate the\r\nmachine’s boot sequence and load the operating system, while using a feature-rich environment to do so. At the\r\nsame time, it has become the target of threat actors to carry out exceptionally persistent attacks.\r\nOne such attack has become the subject of our research, where we found a compromised UEFI firmware image\r\nthat contained a malicious implant. This implant served as means to deploy additional malware on the victim\r\ncomputers, one that we haven’t come across thus far. To the best of our knowledge, this is the second known\r\npublic case where malicious UEFI firmware in use by a threat actor was found in the wild.\r\nThroughout this blog we will elaborate on the following key findings:\r\nWe discovered rogue UEFI firmware images that were modified from their benign counterpart to\r\nincorporate several malicious modules;\r\nThe modules were used to drop malware on the victim machines. This malware was part of a wider\r\nmalicious framework that we dubbed MosaicRegressor;\r\nComponents from that framework were discovered in a series of targeted attacks pointed towards\r\ndiplomats and members of an NGO from Africa, Asia and Europe, all showing ties in their activity to North\r\nKorea;\r\nCode artefacts in some of the framework’s components and overlaps in C\u0026C infrastructure used during the\r\ncampaign suggest that a Chinese-speaking actor is behind these attacks, possibly having connections to\r\ngroups using the Winnti backdoor;\r\nThe attack was found with the help of Firmware Scanner, which has been integrated into Kaspersky products since\r\nthe beginning of 2019. This technology was developed to specifically detect threats hiding in the ROM BIOS,\r\nincluding UEFI firmware images.\r\nCurrent State of the Art\r\nBefore we dive deep into our findings, let us have a quick recap of what UEFI is and how it was leveraged for\r\nattacks thus far. In a nutshell, UEFI is a specification that constitutes the structure and operation of low-level\r\nplatform firmware, so as to allow the operating system to interact with it at various stages of its activity.\r\nThis interaction happens most notably during the boot phase, where UEFI firmware facilitates the loading of the\r\noperating system itself. That said, it can also occur when the OS is already up and running, for example in order to\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 1 of 15\n\nupdate the firmware through a well-defined software interface.\r\nConsidering the above, UEFI firmware makes for a perfect mechanism of persistent malware storage. A\r\nsophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the\r\noperating system is loaded. Moreover, since it is typically shipped within SPI flash storage that is soldered to the\r\ncomputer’s motherboard, such implanted malware will be resistant to OS reinstallation or replacement of the hard\r\ndrive.\r\nThis type of attack has occurred in several instances in the past few years. A prominent example is the LowJax\r\nimplant discovered by our friends at ESET in 2018, in which patched UEFI modules of the LoJack anti-theft\r\nsoftware (also known as Computrace) were used to deploy a malicious user mode agent in a number of Sofacy \\\r\nFancy Bear victim machines. The dangers of Computrace itself were described by our colleagues from the Global\r\nResearch and Analysis Team (GReAT) back in 2014.\r\nAnother example is source code of a UEFI bootkit named VectorEDK which was discovered in the Hacking Team\r\nleaks from 2015. This code consisted of a set of UEFI modules that could be incorporated into the platform\r\nfirmware in order to have it deploy a backdoor to the system which will be run when the OS loads, or redeploy it\r\nif it was wiped. Despite the fact that VectorEDK’s code was made public and can be found in Github nowadays,\r\nwe hadn’t witnessed actual evidence of it in the wild, before our latest finding.\r\nOur Discovery\r\nDuring an investigation, we came across several suspicious UEFI firmware images. A deeper inspection revealed\r\nthat they contained four components that had an unusual proximity in their assigned GUID values, those were two\r\nDXE drivers and two UEFI applications. After further analysis we were able to determine that they were based on\r\nthe leaked source code of HackingTeam’s VectorEDK bootkit, with minor customizations.\r\nRogue components found within the compromised UEFI firmware\r\nThe goal of these added modules is to invoke a chain of events that would result in writing a malicious executable\r\nnamed ‘IntelUpdate.exe’ to the victim’s Startup folder. Thus, when Windows is started the written malware would\r\nbe invoked as well. Apart from that, the modules would ensure that if the malware file is removed from the disk, it\r\nwill be rewritten. Since this logic is executed from the SPI flash, there is no way to avoid this process other than\r\neliminating the malicious firmware.\r\nFollowing is an outline of the components that we revealed:\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 2 of 15\n\nSmmInterfaceBase: a DXE driver that is based on Hacking Team’s ‘rkloader’ component and intended to\r\ndeploy further components of the bootkit for later execution. This is done by registering a callback that will\r\nbe invoked upon an event of type EFI_EVENT_GROUP_READY_TO_BOOT. The event occurs at a point\r\nwhen control can be passed to the operating system’s bootloader, effectively allowing the callback to take\r\neffect before it. The callback will in turn load and invoke the ‘SmmAccessSub’ component.\r\nNtfs: a driver written by Hacking Team that is used to detect and parse the NTFS file system in order to\r\nallow conducting file and directory operations on the disk.\r\nSmmReset: a UEFI application intended to mark the firmware image as infected. This is done by setting\r\nthe value of a variable named ‘fTA’ to a hard-coded GUID. The application is based on a component from\r\nthe original Vector-EDK code base that is named ‘ReSetfTA’.\r\n Setting of the fTA variable with a predefined GUID to mark the execution of the bootkit\r\nSmmAccessSub: the main bootkit component that serves as a persistent dropper for a user-mode malware.\r\nIt is executed by the callback registered during the execution of ‘SmmInterfaceBase’, and takes care of\r\nwriting a binary embedded within it as a file named ‘IntelUpdate.exe’ to the startup directory on disk. This\r\nallows the binary to execute when Windows is up and running.\r\nThis is the only proprietary component amongst the ones we inspected, which was mostly written from\r\nscratch and makes only slight use of code from a Vector-EDK application named ‘fsbg’. It conducts the\r\nfollowing actions to drop the intended file to disk:\r\nBootstraps pointers for the SystemTable, BootServices and RuntimeServices global structures.\r\nTries to get a handle to the currently loaded image by invoking the HandleProtocol method with the\r\nEFI_LOADED_IMAGE_PROTOCOL_GUID argument.\r\nIf the handle to the current image is obtained, the module attempts to find the root drive in which\r\nWindows is installed by enumerating all drives and checking that the ‘\\Windows\\System32’\r\ndirectory exists on them. A global EFI_FILE_PROTOCOL object that corresponds to the drive will\r\nbe created at this point and referenced to open any further directories or files in this drive.\r\nIf the root drive is found in the previous stage, the module looks for a marker file named\r\n‘setupinf.log’ under the Windows directory and proceeds only if it doesn’t exist. In the absence of\r\nthis file, it is created.\r\nIf the creation of ‘setupinf.log’ succeeds, the module goes on to check if the ‘Users’ directory exists\r\nunder the same drive.\r\nIf the ‘Users’ directory exists, it writes the ‘IntelUpdate.exe’ file (embedded in the UEFI\r\napplication’s binary) under the ‘ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup’\r\ndirectory in the root drive.\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 3 of 15\n\nCode from ‘SmmAccessSub’ used to write the embedded ‘IntelUpdate.exe’ binary to the Windows Startup\r\ndirectory\r\nUnfortunately, we were not able to determine the exact infection vector that allowed the attackers to overwrite the\r\noriginal UEFI firmware. Our detection logs show that the firmware itself was found to be malicious, but no\r\nsuspicious events preceded it. Due to this, we can only speculate how the infection could have happened.\r\nOne option is through physical access to the victim’s machine. This could be partially based on Hacking Team’s\r\nleaked material, according to which the installation of firmware infected with VectorEDK requires booting the\r\ntarget machine from a USB key. Such a USB would contain a special update utility that can be generated with a\r\ndesignated builder provided by the company. We found a Q-flash update utility in our inspected firmware, which\r\ncould have been used for such a purpose as well.\r\nFurthermore, the leaks reveal that the UEFI infection capability (which is referred to by Hacking Team as\r\n‘persistent installation’) was tested on ASUS X550C laptops. These make use of UEFI firmware by AMI which is\r\nvery similar to the one we inspected. For this reason we can assume that Hacking Team’s method of patching the\r\nfirmware would work in our case as well.\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 4 of 15\n\nExcerpt from a Hacking Team manual for deployment of infected UEFI firmware, also known as ‘persistent\r\ninstallation’\r\nOf course, we cannot exclude other possibilities whereby rogue firmware was pushed remotely, perhaps through a\r\ncompromised update mechanism. Such a scenario would typically require exploiting vulnerabilities in the BIOS\r\nupdate authentication process. While this could be the case, we don’t have any evidence to support it.\r\nThe Bigger Picture: Enter MosaicRegressor Framework\r\nWhile Hacking Team’s original bootkit was used to write one of the company’s backdoors to disk, known as\r\n‘Soldier’, ‘Scout’ or ‘Elite’, the UEFI implant we investigated deployed a new piece of malware that we haven’t\r\nseen thus far. We decided to look for similar samples that share strings and implementation traits with the dropped\r\nbinary. Consequently, the samples that we found suggested that the dropped malware was only one variant derived\r\nfrom a wider framework that we named MosaicRegressor.\r\nMosaicRegressor is a multi-stage and modular framework aimed at espionage and data gathering. It consists of\r\ndownloaders, and occasionally multiple intermediate loaders, that are intended to fetch and execute payload on\r\nvictim machines. The fact that the framework consists of multiple modules assists the attackers to conceal the\r\nwider framework from analysis, and deploy components to target machines only on demand. Indeed, we were able\r\nto obtain only a handful of payload components during our investigation.\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 5 of 15\n\nThe downloader components of MosaicRegressor are composed of common business logic, whereby the implants\r\ncontact a C\u0026C, download further DLLs from it and then load and invoke specific export functions from them. The\r\nexecution of the downloaded modules usually results in output that can be in turn issued back to the C\u0026C.\r\nHaving said that, the various downloaders we observed made use of different communication mechanisms when\r\ncontacting their C\u0026Cs:\r\nCURL library (HTTP/HTTPS)\r\nBITS transfer interface\r\nWinHTTP API\r\nPOP3S/SMTPS/IMAPS, payloads transferred in e-mail messages\r\nThe last variant in the list is distinct for its use of e-mail boxes to host the requested payload. The payload \r\nintended to run by this implant can also generate an output upon invocation, which can be later forwarded to a\r\n‘feedback’ mail address, where it will likely be collected by the attackers.\r\nThe mail boxes used for this purpose reside on the ‘mail.ru’ domain, and are accessed using credentials that are\r\nhard-coded in the malware’s binary. To fetch the requested file from the target inbox, MailReg enters an infinite\r\nloop where it tries to connect to the “pop.mail.ru” server every 20 minutes, and makes use of the first pair of\r\ncredentials that allow a successful connection. The e-mails used for login (without their passwords) and\r\ncorresponding feedback mail are specified in the table below:\r\nLogin mail Feedback mail\r\nthtgoolnc@mail.ru thgetmmun@mail.ru\r\nthbububugyhb85@mail.ru thyhujubnmtt67@mail.ru\r\nThe downloaders can also be split in two distinct types, the “plain” one just fetching the payload, and the\r\n“extended” version that also collects system information:\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 6 of 15\n\nStructure of the log file written by BitsRegEx, strings marked in red are the original fields that appear in that\r\nfile\r\nWe were able to obtain only one variant of the subsequent stage, that installs in the autorun registry values and\r\nacts as another loader for the components that are supposed to be fetched by the initial downloader. These\r\ncomponents are also just intermediate loaders for the next stage DLLs. Ultimately, there is no concrete business\r\nlogic in the persistent components, as it is provided by the C\u0026C server in a form of DLL files, most of them\r\ntemporary.\r\nWe have observed one such library, “load.rem“, that is a basic document stealer, fetching files from the “Recent\r\nDocuments” directory and archiving them with a password, likely as a preliminary step before exfiltrating the\r\nresult to the C\u0026C by another component.\r\nThe following figure describes the full flow and connection between the components that we know about. The\r\ncolored elements are the components that we obtained and gray ones are the ones we didn’t:\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 7 of 15\n\nFlow from BitsRegEx to execution of intermediate loaders and final payload\r\nWho were the Targets?\r\nAccording to our telemetry, there were several dozen victims who received components from the\r\nMosaicRegressor framework between 2017 and 2019. These victims included diplomatic entities and NGOs in\r\nAfrica, Asia and Europe. Only two of them were also infected with the UEFI bootkit in 2019, predating the\r\ndeployment of the BitsReg component.\r\nBased on the affiliation of the discovered victims, we could determine that all had some connection to the DPRK,\r\nbe it non-profit activity related to the country or actual presence within it. This common theme  can be reinforced\r\nthrough one of the infection vectors used to deliver the malware to some of the victims, which was SFX archives\r\npretending to be documents discussing various subjects related to North Korea. Those were bundled with both an\r\nactual document and MosaicRegressor variants, having both executed when the archive is opened. Examples for\r\nthe lure documents can be seen below.\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 8 of 15\n\nExamples of lure documents bundled to malicious SFX archives sent to MosaicRegressor victims, discussing\r\nDPRK related topics\r\nWho is behind the attack?\r\nWhen analyzing MosaicRegressor’s variants, we noticed several interesting artefacts that provided us with clues\r\non the identity of the actor behind the framework. As far as we can tell, the attacks were conducted by a Chinese-speaking actor, who may have previously used the Winnti backdoor. We found the following evidence to support\r\nthis:\r\nWe spotted many strings used in the system information log generated by the BitsRegEx variant that\r\ncontain the character sequence ‘0xA3, 0xBA’. This is an invalid sequence for a UTF8 string and the\r\nLATIN1 encoding translates these symbols to a pound sign followed by a “masculine ordinal indicator”\r\n(“£º”). An attempt to iterate over all available iconv symbol tables, trying to convert the sequence to UTF-8, produces possible candidates that give a more meaningful interpretation. Given the context of the string\r\npreceding the symbol and line feed symbols following it, the best match is the “FULL-WIDTH COLON”\r\nUnicode character translated from either the Chinese or Korean code pages (i.e. CP936 and CP949).\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 9 of 15\n\nFigure: The BitsRegEx system information log making use of the character sequence 0xA3, 0xBA, likely used to\r\nrepresent a full-width colon, according to code pages CP936 and CP949.\r\nAnother artefact that we found was a file resource found in CurlReg samples that contained a language\r\nidentifier set to 2052 (“zh-CN”)\r\nChinese language artefact in the resource section of a CurlReg sample\r\nWe detected an OLE2 object taken out of a document armed with the CVE-2018-0802 vulnerability, which\r\nwas produced by the so-called ‘Royal Road’ / ‘8.t’ document builder and used to drop a CurlReg variant.\r\nTo the best of our knowledge, this builder is commonly used by Chinese-speaking threat actors.\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 10 of 15\n\nExcerpt from the OLE2 object found within a ‘Royal Road’ weaponized document, delivering the CurlReg\r\nvariant\r\nA C\u0026C address (103.82.52[.]18) which was found in one of MosaicRegressor’s variants\r\n(MD5:3B58E122D9E17121416B146DAAB4DB9D) was observed in use by the ‘Winnti umbrella and\r\nlinked groups’, according to a publicly available report. Since this is the only link between our findings and\r\nany of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible\r\nfor the attacks.\r\nConclusion\r\nThe attacks described in this blog post demonstrate the length an actor can go in order to gain the highest level of\r\npersistence on a victim machine. It is highly uncommon to see compromised UEFI firmware in the wild, usually\r\ndue to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target’s SPI\r\nflash chip, and the high stakes of burning sensitive toolset or assets when doing so.\r\nWith this in mind, we see that UEFI continues to be a point of interest to APT actors, while at large being\r\noverlooked by security vendors. The combination of our technology and understanding of the current and past\r\ncampaigns leveraging infected firmware, helps us monitor and report on future attacks against such targets.\r\nThe full details of this research, as well as future updates on the underlying threat actor, are available to customers\r\nof the APT reporting service through our Threat Intelligence Portal.\r\nIoCs\r\nThe followings IoC list is not complete. If you want more information about the APT discussed here, a full IoC list\r\nand YARA rules are available to customers of Kaspersky Threat Intelligence Reports. Contact:\r\nintelreports@kaspersky.com\r\nUEFI Modules\r\nF5B320F7E87CC6F9D02E28350BB87DE6 (SmmInterfaceBase)\r\n0C136186858FD36080A7066657DE81F5 (SmmAccessSub)\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 11 of 15\n\n91A473D3711C28C3C563284DFAFE926B (SmmReset)\r\nDD8D3718197A10097CD72A94ED223238 (Ntfs)\r\nRAR SFX droppers\r\n0EFB785C75C3030C438698C77F6E960E\r\n12B5FED367DB92475B071B6D622E44CD\r\n3B3BC0A2772641D2FC2E7CBC6DDA33EC\r\n3B58E122D9E17121416B146DAAB4DB9D\r\n70DEF87D180616406E010051ED773749\r\n7908B9935479081A6E0F681CCEF2FDD9\r\nAE66ED2276336668E793B167B6950040\r\nB23E1FE87AE049F46180091D643C0201\r\nCFB072D1B50425FF162F02846ED263F9\r\nDecoy documents\r\n0D386EBBA1CCF1758A19FB0B25451AFE\r\n233B300A58D5236C355AFD373DABC48B\r\n449BE89F939F5F909734C0E74A0B9751\r\n67CF741E627986E97293A8F38DE492A7\r\n6E949601EBDD5D50707C0AF7D3F3C7A5\r\n92F6C00DA977110200B5A3359F5E1462\r\nA69205984849744C39CFB421D8E97B1F\r\nD197648A3FB0D8FF6318DB922552E49E\r\nBitsReg\r\nB53880397D331C6FE3493A9EF81CD76E\r\nAFC09DEB7B205EADAE4268F954444984 (64-bit)\r\nBitsRegEx\r\nDC14EE862DDA3BCC0D2445FDCB3EE5AE\r\n88750B4A3C5E80FD82CF0DD534903FC0\r\nC63D3C25ABD49EE131004E6401AF856C\r\nD273CD2B96E78DEF437D9C1E37155E00\r\n72C514C0B96E3A31F6F1A85D8F28403C\r\nCurlReg\r\n9E182D30B070BB14A8922CFF4837B94D\r\n61B4E0B1F14D93D7B176981964388291\r\n3D2835C35BA789BD86620F98CBFBF08B\r\nCurlRegEx\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 12 of 15\n\n328AD6468F6EDB80B3ABF97AC39A0721\r\n7B213A6CE7AB30A62E84D81D455B4DEA\r\nMailReg\r\nE2F4914E38BB632E975CFF14C39D8DCD\r\nWinHTTP Based Downloaders\r\n08ECD8068617C86D7E3A3E810B106DCE\r\n1732357D3A0081A87D56EE1AE8B4D205\r\n74DB88B890054259D2F16FF22C79144D\r\n7C3C4C4E7273C10DBBAB628F6B2336D8\r\nBitsReg Payload (FileA.z)\r\n89527F932188BD73572E2974F4344D46\r\n2nd Stage Loaders\r\n36B51D2C0D8F48A7DC834F4B9E477238 (mapisp.dll)\r\n1C5377A54CBAA1B86279F63EE226B1DF (cryptui.sep)\r\n9F13636D5861066835ED5A79819AAC28 (cryptui.sep)\r\n3rd Stage Payload\r\nFA0A874926453E452E3B6CED045D2206 (load.rem)\r\nFile paths\r\n%APPDATA%\\Microsoft\\Credentials\\MSI36C2.dat\r\n%APPDATA%\\Microsoft\\Internet Explorer\\%Computername%.dat\r\n%APPDATA%\\Microsoft\\Internet Explorer\\FileA.dll\r\n%APPDATA%\\Microsoft\\Internet Explorer\\FileB.dll\r\n%APPDATA%\\Microsoft\\Internet Explorer\\FileC.dll\r\n%APPDATA%\\Microsoft\\Internet Explorer\\FileD.dll\r\n%APPDATA%\\Microsoft\\Internet Explorer\\FileOutA.dat\r\n%APPDATA%\\Microsoft\\Network\\DFileA.dll\r\n%APPDATA%\\Microsoft\\Network\\DFileC.dll\r\n%APPDATA%\\Microsoft\\Network\\DFileD.dll\r\n%APPDATA%\\Microsoft\\Network\\subst.sep\r\n%APPDATA%\\Microsoft\\WebA.dll\r\n%APPDATA%\\Microsoft\\WebB.dll\r\n%APPDATA%\\Microsoft\\WebC.dll\r\n%APPDATA%\\Microsoft\\Windows\\LnkClass.dat\r\n%APPDATA%\\Microsoft\\Windows\\SendTo\\cryptui.sep\r\n%APPDATA%\\Microsoft\\Windows\\SendTo\\load.dll %APPDATA%\\Microsoft\\Windows\\load.rem\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 13 of 15\n\n%APPDATA%\\Microsoft\\Windows\\mapisp.dll\r\n%APPDATA%\\Microsoft\\exitUI.rs\r\n%APPDATA%\\Microsoft\\sppsvc.tbl\r\n%APPDATA%\\Microsoft\\subst.tbl\r\n%APPDATA%\\newplgs.dll\r\n%APPDATA%\\rfvtgb.dll\r\n%APPDATA%\\sdfcvb.dll\r\n%APPDATA%\\msreg.dll\r\n%APPDATA\\Microsoft\\dfsadu.dll\r\n%COMMON_APPDATA%\\Microsoft\\Windows\\user.rem\r\n%TEMP%\\BeFileA.dll\r\n%TEMP%\\BeFileC.dll\r\n%TEMP%\\RepairA.dll\r\n%TEMP%\\RepairB.dll\r\n%TEMP%\\RepairC.dll\r\n%TEMP%\\RepairD.dll\r\n%TEMP%\\wrtreg_32.dll\r\n%TEMP%\\wrtreg_64.dll\r\n%appdata%\\dwhost.exe\r\n%appdata%\\msreg.exe\r\n%appdata%\\return.exe\r\n%appdata%\\winword.exe\r\nDomains and IPs\r\n103.195.150[.]106\r\n103.229.1[.]26\r\n103.243.24[.]171\r\n103.243.26[.]211\r\n103.30.40[.]116\r\n103.30.40[.]39\r\n103.39.109[.]239\r\n103.39.109[.]252\r\n103.39.110[.]193\r\n103.56.115[.]69\r\n103.82.52[.]18\r\n117.18.4[.]6\r\n144.48.241[.]167\r\n144.48.241[.]32\r\n150.129.81[.]21\r\n43.252.228[.]179\r\n43.252.228[.]252\r\n43.252.228[.]75\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 14 of 15\n\n43.252.228[.]84\r\n43.252.230[.]180\r\nmenjitghyukl.myfirewall[.]org\r\nAdditional Suspected C\u0026Cs\r\n43.252.230[.]173\r\n185.216.117[.]91\r\n103.215.82[.]161\r\n103.96.72[.]148\r\n122.10.82[.]30\r\nMutexes\r\nFindFirstFile Message Bi\r\nset instance state\r\nforegrounduu state\r\nsingle UI\r\nOffice Module\r\nprocess attach Module\r\nSource: https://securelist.com/mosaicregressor/98849/\r\nhttps://securelist.com/mosaicregressor/98849/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/mosaicregressor/98849/" ], "report_names": [ "98849" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434915, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c1275e2ee3dc2ebdc22778803ae7e1bbd6a0b545.pdf", "text": "https://archive.orkl.eu/c1275e2ee3dc2ebdc22778803ae7e1bbd6a0b545.txt", "img": "https://archive.orkl.eu/c1275e2ee3dc2ebdc22778803ae7e1bbd6a0b545.jpg" } }