Technical Analysis of TransferLoader

    Date: 05/16/2025

    Severity: High

    Summary

    TransferLoader is a newly identified malware loader active since February 2025, comprising a downloader, loader, and backdoor module. It was observed deploying Morpheus ransomware at a U.S. law firm. The malware uses heavy obfuscation to hinder analysis and enables remote command execution. Its backdoor leverages IPFS as a fallback for C2 updates.

    Indicators of Compromise (IOC) List

    Domains \ Urls :

    https://mainstomp.cloud/MDcMkjAxsLKsT

    https://baza.com/loader.bin

    https://temptransfer.live/SkwkUTIoFTrXYRMd

    https://sharemoc.space/XdYUmFd2xX

    https://ipfs.io/ipns/k51qzi5uqu5djqy6wp9nng1igaatx8nxwpye9iz18ce6b8ycihw8nt04khemao

    Hash : 

    11d0b292ed6315c3bf47f5df4c7804edccbd0f6018777e530429cc7709ba6207

    b8f00bd6cb8f004641ebc562e570685787f1851ecb53cd918bc6d08a1caae750

    b55ba0f869f6408674ee9c5229f261e06ad1572c52eaa23f5a10389616d62efe

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls : 

    domainname like "https://mainstomp.cloud/MDcMkjAxsLKsT" or url like "https://mainstomp.cloud/MDcMkjAxsLKsT" or siteurl like "https://mainstomp.cloud/MDcMkjAxsLKsT" or domainname like "https://baza.com/loader.bin" or url like "https://baza.com/loader.bin" or siteurl like "https://baza.com/loader.bin" or domainname like "https://temptransfer.live/SkwkUTIoFTrXYRMd" or url like "https://temptransfer.live/SkwkUTIoFTrXYRMd" or siteurl like "https://temptransfer.live/SkwkUTIoFTrXYRMd" or domainname like "https://sharemoc.space/XdYUmFd2xX" or url like "https://sharemoc.space/XdYUmFd2xX" or siteurl like "https://sharemoc.space/XdYUmFd2xX" or domainname like "https://ipfs.io/ipns/k51qzi5uqu5djqy6wp9nng1igaatx8nxwpye9iz18ce6b8ycihw8nt04khemao" or url like "https://ipfs.io/ipns/k51qzi5uqu5djqy6wp9nng1igaatx8nxwpye9iz18ce6b8ycihw8nt04khemao" or siteurl like "https://ipfs.io/ipns/k51qzi5uqu5djqy6wp9nng1igaatx8nxwpye9iz18ce6b8ycihw8nt04khemao"

    Hash :

    sha256hash IN ("11d0b292ed6315c3bf47f5df4c7804edccbd0f6018777e530429cc7709ba6207","b55ba0f869f6408674ee9c5229f261e06ad1572c52eaa23f5a10389616d62efe","b8f00bd6cb8f004641ebc562e570685787f1851ecb53cd918bc6d08a1caae750")

    Reference:    

    https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader#indicators-of-compromise--iocs- 


    Tags

    MalwareTransferLoaderBackdoorMorpheus ransomwareUnited States

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags