Cybersecurity researchers on Tuesday lifted the lid on a previously undocumented malware strain dubbed “MosaicLoader” that singles out individuals searching for cracked software as part of a global campaign. “The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service,” Bitdefender researchers said in a report shared with The Hacker News. “The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links.” Upon successful infection, the initial Delphi-based dropper — which masquerades as a software installer — acts as an entry point to fetch next-stage payloads from a remote server. It also adds local exclusions in Windows Defender for the two downloaded executables in an attempt to thwart antivirus scanning.
Downloading pirated or cracked software is often a risk, as attackers will use this as an infection vector. Since it is cracked software, the user already expects that it might not match the checksum of the legitimate software and would run it on their machine despite this. Always obtain your software from legitimate, trusted vendors.