Date: 05/16/2025
Severity: High
Summary
TransferLoader is a newly identified malware loader active since February 2025, comprising a downloader, loader, and backdoor module. It was observed deploying Morpheus ransomware at a U.S. law firm. The malware uses heavy obfuscation to hinder analysis and enables remote command execution. Its backdoor leverages IPFS as a fallback for C2 updates.
Indicators of Compromise (IOC) List
Domains \ Urls : | https://mainstomp.cloud/MDcMkjAxsLKsT https://baza.com/loader.bin https://temptransfer.live/SkwkUTIoFTrXYRMd https://sharemoc.space/XdYUmFd2xX https://ipfs.io/ipns/k51qzi5uqu5djqy6wp9nng1igaatx8nxwpye9iz18ce6b8ycihw8nt04khemao |
Hash : | 11d0b292ed6315c3bf47f5df4c7804edccbd0f6018777e530429cc7709ba6207
b8f00bd6cb8f004641ebc562e570685787f1851ecb53cd918bc6d08a1caae750
b55ba0f869f6408674ee9c5229f261e06ad1572c52eaa23f5a10389616d62efe
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | domainname like "https://mainstomp.cloud/MDcMkjAxsLKsT" or url like "https://mainstomp.cloud/MDcMkjAxsLKsT" or siteurl like "https://mainstomp.cloud/MDcMkjAxsLKsT" or domainname like "https://baza.com/loader.bin" or url like "https://baza.com/loader.bin" or siteurl like "https://baza.com/loader.bin" or domainname like "https://temptransfer.live/SkwkUTIoFTrXYRMd" or url like "https://temptransfer.live/SkwkUTIoFTrXYRMd" or siteurl like "https://temptransfer.live/SkwkUTIoFTrXYRMd" or domainname like "https://sharemoc.space/XdYUmFd2xX" or url like "https://sharemoc.space/XdYUmFd2xX" or siteurl like "https://sharemoc.space/XdYUmFd2xX" or domainname like "https://ipfs.io/ipns/k51qzi5uqu5djqy6wp9nng1igaatx8nxwpye9iz18ce6b8ycihw8nt04khemao" or url like "https://ipfs.io/ipns/k51qzi5uqu5djqy6wp9nng1igaatx8nxwpye9iz18ce6b8ycihw8nt04khemao" or siteurl like "https://ipfs.io/ipns/k51qzi5uqu5djqy6wp9nng1igaatx8nxwpye9iz18ce6b8ycihw8nt04khemao" |
Hash : | sha256hash IN ("11d0b292ed6315c3bf47f5df4c7804edccbd0f6018777e530429cc7709ba6207","b55ba0f869f6408674ee9c5229f261e06ad1572c52eaa23f5a10389616d62efe","b8f00bd6cb8f004641ebc562e570685787f1851ecb53cd918bc6d08a1caae750")
|
Reference:
https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader#indicators-of-compromise--iocs-