An ongoing global campaign has been discovered that delivers a newly malware dubbed MosaicLoader via pirated software. The name is based on its internal structure that confuses malware analysts and hinders reverse engineering.

What was discovered?

According to a Bitdefender report, MosaicLoader is used to deploy second-stage payloads on infected computers. 
  • The attackers attempt to infect users trying to download pirated software that are promoted on search engine results.
  • The attackers faked genuine software by using similar icons and adding business names and descriptions in files' metadata.
  • Besides, the attackers were observed using other ways to prevent detection including obfuscating the code in small chunks, using random execution orders, and choosing delivery mechanisms infecting victims with multiple malware strains.
  • The campaign doesn't focus on any particular region. It tries to target any search engine users seeking to download cracked software installers anywhere in the world.

Additional insights

After MosaicLoader is deployed on a targeted system, it downloads other malware such as cryptocurrency miners, cookie stealers, RATs, and backdoors with a complicated attack chain.
  • After being infected by MosaicLoader, malware gathers data from the victim system such as credentials of infected systems using RATs and malware that are capable of stealing data.
  • Further, this stolen information can be used in future attacks wherein attackers hijack victims' online accounts, perform identity theft frauds, or resort to blackmail schemes.


Threats such as MosaicLoader not only perform malicious actions, they further deliver other dangerous malware on the infected systems. One of the most recommended ways to avoid such threats being downloaded on users’ computers is to stop using pirated software.

Cyware Publisher