Technical Analysis of TransferLoader

EXTRACT IOC

TransferLoader is a newly identified malware loader active since February 2025 that includes multiple embedded components such as a downloader, backdoor, and backdoor loader, all designed with advanced anti-analysis and obfuscation techniques. It has been observed delivering Morpheus ransomware, leveraging decentralized IPFS for resilient command-and-control (C2) communications, impacting targeted organizations and security systems. #TransferLoader #MorpheusRansomware

Keypoints

TransferLoader has been active since at least February 2025 and consists of three primary components: a downloader, a backdoor, and a backdoor loader.
The malware uses sophisticated anti-analysis techniques including anti-debugging, code obfuscation, runtime string decryption, and junk code insertion to evade detection and hinder reverse engineering.
The backdoor module supports command execution, file read/write, configuration updates, and utilizes the InterPlanetary File System (IPFS) as a fallback C2 channel for enhanced persistence and resiliency.
The downloader component retrieves additional payloads via HTTPS, decrypts them, executes them, and opens decoy PDF files to hide malicious activity.
The backdoor loader manages backdoor configuration by communicating through encrypted named pipes and achieves persistence through COM hijacking and registry modifications.
TransferLoader has been observed delivering the Morpheus ransomware, linking it to financially motivated cyberattacks, including against an American law firm.
Zscaler’s cloud security platform detects TransferLoader-related activities under the threat name Win32.Downloader.TransferDownloader, identifying associated IOCs and providing protection.

MITRE Techniques

[T1064] Scripting – TransferLoader executes downloaded payloads and embedded modules dynamically. (“The downloader sends an HTTPS GET request to the server to retrieve the payload. The downloader decrypts the received payload using a bitwise-XOR operation…”)
[T1055] Process Injection – Backdoor loader injects backdoor code in explorer.exe or wordpad.exe processes. (“The backdoor loader expects to reside either in the memory space of an Explorer instance (explorer.exe) or WordPad (wordpad.exe).”)
[T1071] Application Layer Protocol – The backdoor communicates with C2 servers over HTTPS and raw TCP with custom headers. (“The backdoor supports both HTTPS and raw TCP communication methods…”)
[T1105] Ingress Tool Transfer – The downloader retrieves additional payloads from remote C2 servers over HTTPS. (“The downloader component…download an additional payload from a C2 server…”)
[T1185] Component Object Model Hijacking – Persistence is achieved through COM hijacking via registry key modification. (“Uses the registry key SOFTWAREClassesCLSID… to add persistence on the compromised host…”)
[T1027] Obfuscated Files or Information – Usage of code obfuscation, string encryption, junk code blocks, and custom decryption routines. (“Each TransferLoader component decrypts strings at runtime using a bitwise-XOR operation…”)
[T1497] Virtualization/Sandbox Evasion – Anti-debugging and anti-VM techniques such as checking the BeingDebugged flag and requiring specific command-line parameters. (“All components leverage the BeingDebugged field in the Process Environment Block to detect a debugging session.”)

Indicators of Compromise

[File Hashes] TransferLoader components – 11d0b292ed6315c3bf47f5df4c7804edccbd0f6018777e530429cc7709ba6207 (Backdoor loader), b8f00bd6cb8f004641ebc562e570685787f1851ecb53cd918bc6d08a1caae750 (Backdoor), b55ba0f869f6408674ee9c5229f261e06ad1572c52eaa23f5a10389616d62efe (TransferLoader main)
[Domains] Downloader C2 servers – https://mainstomp[.]cloud/MDcMkjAxsLKsT, https://baza[.]com/loader.bin, https://temptransfer[.]live/SkwkUTIoFTrXYRMd, https://sharemoc[.]space/XdYUmFd2xX
[URL] IPFS Network – https://ipfs[.]io/ipns/k51qzi5uqu5djqy6wp9nng1igaatx8nxwpye9iz18ce6b8ycihw8nt04khemao (used for updating backdoor C2 servers)

Tags: PERSISTENCE, CLOUD, TOOL, BACKDOOR, WINDOWS, PAYLOAD