MosaicLoader malware (virus) - Free Guide

MosaicLoader malware Removal Guide

What is MosaicLoader malware?

MosaicLoader malware is a new dangerous threat to software pirates and gamers

MosaicLoader malwareMosaicLoader malware is a downloader that delivers any payload to the system.

If you like using various downloaders or other ways to get software and games for free, chances are that one day you will download a virus as well. One such infection is MosaicLoader malware which has been found by Bitdefender security experts.[1] This new malware strain is advertised as a cracked software installer, but in reality, it is a dangerous downloader that can easily deliver any payload[2] to the infected computer.

Many users download this threat without realizing that they are voluntarily bringing a serious threat into their computer. According to experts, MosaicLoader malware is quite stealthy because it uses various tactics to hide from security experts and increase the likelihood of success to compromise the system. This infection tries to:

  • Mimic file information to look like legitimate software;
  • Payload delivery mechanism infecting the system with several malware strains;
  • Code obfuscation with small chunks and shuffle execution order.

When a threat successfully enters a computer, it can cause many different types of problems. For example, it can easily infect the system with Facebook cookie stealers, remote-access Trojans, cryptocurrency miners, and other threats. This malware-delivery platform has been reported to target Windows users, but users of other systems should also be careful.

Name MosaicLoader malware
Type Malware, malware downloader
Infiltration This threat spreads through paid advertisements mostly
Traits This malware-delivery platform can deliver any threat to the infected system: remote-access trojans, Facebook cookie stealers, etc.
Prevention If you want to avoid similar problems in the future, don't trust suspicious ads, avoid downloading files from unknown websites, and install software only from trusted sources
Removal To ensure your computer is malware-free, scan the system with a powerful SpyHunter 5Combo Cleaner security tool
System fix In case infection causes damage to Windows system files, use FortectIntego to fix everything

The main problem of this malicious downloader is its ability to severely affect user privacy. For example, if the malware sprayer successfully delivers Facebook cookie stealers on the system, these cookie stealers can exfiltrate login data, resulting in complete account takeovers, posts that spread dangerous malware, or other problems.

This malware downloader also spreads remote-access trojans – serious infections that can log keypresses on the system, capture screenshots, record audio from the microphone or images from the webcam, etc. When such important information is stolen, victims become extremely vulnerable as hackers can take over their accounts, attempt to blackmail them, and steal digital identities.

Once the threat is installed on the computer, it creates a complex chain of processes. This malware downloader has a unique obfuscation technique. It shuffles small code chunks around and creates a mosaic-like structure. That's why security experts from Bitdefender named it MosaicLoader.

The first stage is quite simple: the dropper is installed on the system. These droppers try to mimic legitimate software and even have icons and version information or try to look like the NVIDIA process. Then, everything goes according to this plan:[1]

The dropper downloads from the C2 server (checkblanco[.]xyz in our run) into the %TEMP% folder. The .zip file contains the two files required for the second stage, appsetup.exe, and prun.exe. Then, the dropper extracts these files to C:\Program Files (x86)\PublicGaming\ and launches several instances of Powershell to add exclusions from Windows Defender for the folder and the specific file names.

The second stage is performed with a help of the appsetup.exe process. This process is used to attain persistence on the system. It tries to add a new registry value for another component – prun.exe. After that, it registers itself as a “pubgame-updater”. This way appsetup.exe process ensures that the persistence registry key will be added again even after the cleanup.

Then the prun.exe process is launched. This file is capable of transferring the execution of the malware from the main code section to a secondary one. Also, it uses difficult techniques and creates a mosaic-like structure to scramble the order of the chunks to be executed. After that, prun.exe injects code into the process to communicate with the C2. It is necessary because C2 needs to download the final stage of this threat – a malware sprayer.

So, the purpose of the final stage is to download a list of malware and to successfully execute them. Using such tactics, various viruses can enter your computer.

How to avoid the malware: remember a few important rules

If you don’t know how your computer got infected, try remembering if you haven't clicked on any ads recently. This particular malware[3] is rapidly spreading around the world through enticing ads in search results. Cybercriminals targeting users who are looking for pirated software or games but other users may also fall into similar traps.

That’s why it’s always important to think before clicking on any suspicious advertising that looks too good to be true. By clicking on such ads, you may be redirected to various unsafe pages and download infections. Also, never open suspicious emails, don't try to click on strange links you receive, etc.

And the most important rule is to always use a reliable antivirus program. If you want to be safe or easily remove all threats from the computer, we recommend using SpyHunter 5Combo Cleaner or similar well-known security software. Just keep in mind that it's important to update the security tool regularly.

Don't forget to clean your computer

If your computer is infected by MosaicLoader malware, the best solution would be to remove it from your system immediately. There is no reason why you should keep this threat on your computer, even if you downloaded it because of tempting advertising.

The ad is misleading and inaccurate because it's not a cracked software installer. As we mentioned before, it's just a downloader that can deliver any payload to an infected computer. So the longer you keep this malware downloader on your system, the greater the chance that the computer will be infected by more dangerous threats.

Below you will find instructions on how to remove MosaicLoader malware from the computer. If malware is not letting you use antivirus in normal mode, access Safe Mode and perform a full system scan from there.

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list.
    Windows XP/7
Windows 10 / Windows 8
  1. Right-click on the Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update & Security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find the Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot.
    Choose an option
  7. Go to Advanced options.
    Advanced options
  8. Select Startup Settings.
    Startup settings
  9. Click Restart.
  10. Press 5 or click 5) Enable Safe Mode with Networking.
    Press F5 to enable Safe Mode with Networking

Once you reach Safe Mode, launch SpyHunter 5Combo Cleaner or another reputable antivirus, update it with the latest definitions and perform a full system scan to eradicate malware and all its malicious components.

However, even after successful removal, you may still notice that your computer is performing worse than before. Since this downloader can deliver various types of threats to your computer, there is a good chance that some components performed changes within the Windows registry. We recommend fixing everything with the FortectIntego repair tool after threats are terminated.

  • Download the application by clicking on the link above
  • Click on the ReimageRepair.exe
    Reimage download
  • If User Account Control (UAC) shows up, select Yes
  • Press Install and wait till the program finishes the installation process
    Reimage installation
  • The analysis of your machine will begin immediately
    Reimage scan
  • Once complete, check the results – they will be listed in the Summary
  • You can now click on each of the issues and fix them manually
  • If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.
    Reimage results

After these steps, your computer should work without serious interruption again. However, even though you have successfully removed the virus and cleaned the system, remember that you should be more careful from now on. Always use updated security software and do not download programs from suspicious pages.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

How to prevent from getting malware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions