A newly discovered malware loader, dubbed TransferLoader, has been active since at least February 2025, posing a significant threat to cybersecurity.
Identified by Zscaler ThreatLabz Report, this sophisticated malware comprises multiple components, including a downloader, a backdoor, and a specialized loader for the backdoor, all designed with advanced anti-analysis techniques and code obfuscation to evade detection.
TransferLoader has been observed deploying Morpheus ransomware, notably targeting an American law firm, highlighting its potential for severe impact .
Threat Identified by Zscaler ThreatLabz
TransferLoader’s architecture is engineered for stealth and persistence. Its components employ anti-virtual machine and anti-debugging methods, such as checking filenames for hardcoded substrings and leveraging the BeingDebugged field in the Process Environment Block (PEB) to detect debugging sessions.
The malware uses dynamic resolution of Windows APIs via hashing algorithms and inserts junk code blocks to disrupt decompilation processes.
String encryption is achieved through bitwise-XOR operations with unique 8-byte keys, while two distinct obfuscation methods further complicate reverse engineering.
The first method manipulates control flow by calculating jump addresses, and the second, used in embedded payloads, involves intricate register manipulation and handler-based instruction obfuscation without virtualization .
Technical Sophistication and Evasion Tactics
The downloader component retrieves payloads from command-and-control (C2) servers using HTTPS GET requests with custom headers, decrypts them via bitwise-XOR with a hardcoded key, and executes decoy PDF files to mask malicious activity.
The backdoor module, a core orchestrator, enables remote command execution, file operations, and system information collection.
It supports both HTTPS and TCP communication, falling back to the decentralized InterPlanetary File System (IPFS) for C2 server updates if primary connections fail.
Configuration data, stored in registry keys, is managed by the backdoor loader, which also employs persistence mechanisms like Component Object Model (COM) hijacking .
TransferLoader’s payload decryption process involves retrieving encrypted data from specific PE sections, using custom Base32 charsets and modified AES-CBC algorithms to hinder automated analysis.
Older variants relied on either Base32 decoding or AES decryption, but newer samples combine both for added complexity.
Zscaler’s multilayered cloud security platform detects TransferLoader under names like Win32.Downloader.TransferDownloader, with detailed sandbox reports confirming its malicious behavior .
TransferLoader represents a formidable tool for threat actors, capable of executing arbitrary commands and deploying ransomware.
Its consistent use in attacks suggests that it will remain a preferred vector for future cyber campaigns, necessitating robust defensive measures.
| IOC | Description |
|---|---|
| 11d0b292ed6315c3bf47f5df4c7804edccbd0f6018777e530429cc7709ba6207 | Backdoor loader |
| b8f00bd6cb8f004641ebc562e570685787f1851ecb53cd918bc6d08a1caae750 | Backdoor |
| b55ba0f869f6408674ee9c5229f261e06ad1572c52eaa23f5a10389616d62efe | TransferLoader |
| https://mainstomp[.]cloud/MDcMkjAxsLKsT | Downloader C2 server |
| https://baza[.]com/loader.bin | Downloader C2 server |
| https://temptransfer[.]live/SkwkUTIoFTrXYRMd | Downloader C2 server |
| https://sharemoc[.]space/XdYUmFd2xX | Downloader C2 server |
| https://ipfs[.]io/ipns/k51qzi5uqu5djqy6wp9nng1igaatx8nxwpye9iz18ce6b8ycihw8nt04khemao | IPFS URL for C2 updates |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
