MosaicLoader Malware Downloader Distributed Via Internet Ads for Cracked Software

Bitdefender security researchers have identified a new malware variant dubbed MosaicLoader, which is being distributed in a worldwide campaign disguised as cracked software. The malware acts as a downloader of secondary payloads and was named due to the complex internal structure designed to evade detection by security solutions and hamper researchers’ attempts at reverse engineering the malware.

The threat actor behind the campaign is not targeting any specific geographical region, with the only targeting being individuals looking to download pirated software. The malware dropper used in the campaign is disguised as a legitimate software executable, including icons similar to the legitimate software installer that the dropper mimics.

A variety of names have been used in the campaign for the installers, including mirc-7-64-keygen-plus-crack-fully-version-free-download, officefix-professional6-122-crack-full-version-latest-2021, and setup-starter_v2.3.1. The metadata of the installation file also includes legitimate company names and descriptions which may be sufficient to pass superficial checks.

One of the malware droppers identified by the researchers mimics an NVIDIA process, and uses a revoked digital signature unrelated to NVIDIA, which the researchers suggest was either cryptographically insecure or abused by malware.

Once downloaded onto a device, the malware downloads multiple secondary payloads from domains under the control of the attackers via a complex chain of processes. Secondary payloads include Remote Access Trojans (RATs), backdoors, information stealers, and cryptocurrency miners.

Malware variants observed being downloaded by MosaicLoader include the Glupteba backdoor, the XMRig cryptocurrency miner, Presenoker adware, AsyncRAT, and multiple cookie stealers. It is unclear whether the malware is currently being offered to other cybercriminal gangs as malware-as-a-service, but since any payload can be delivered, it would potentially be profitable under this model.

The malware is being distributed using paid advertisements in search engine results, with the ads appearing for certain search terms from individuals looking to download pirated software.

Protecting against infection is simple. Do not attempt to download pirated or cracked software from any source. Downloading pirated software is illegal, and software installation files and keygens often include malware, adware, and other potentially unwanted programs.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of