A newly identified malware loader dubbed TransferLoader has emerged as a critical threat, enabling attackers to execute arbitrary commands on compromised systems and deliver payloads such as the Morpheus ransomware.

First detected in February 2025 by Zscaler ThreatLabz researchers, this modular malware employs sophisticated evasion techniques and a decentralized infrastructure to bypass security measures.

Its recent deployment against an American law firm underscores its potency in real-world attacks.

TransferLoader operates through a multi-stage framework: a downloader fetches additional payloads, a backdoor orchestrates remote commands, and a specialized loader manages configuration data.

The malware’s operators leverage the InterPlanetary File System (IPFS) as a fallback command-and-control (C2) channel, ensuring persistence even if primary servers are dismantled.

Notably, the backdoor module supports HTTPS and raw TCP communication, while its IPFS integration allows threat actors to dynamically update C2 endpoints-a tactic that complicates takedown efforts.

Zscaler analysts highlighted the malware’s association with Morpheus ransomware, which was deployed in a high-profile attack on a legal institution.

“TransferLoader’s modularity and anti-analysis measures make it a formidable tool for adversaries,” a ThreatLabz researcher noted.

“Its use of legitimate decentralized platforms like IPFS blurs the line between malicious and benign traffic, challenging traditional detection methods.”

Detection Evasion and Anti-Analysis Techniques

TransferLoader’s developers prioritize obfuscation to hinder reverse engineering. The malware employs a combination of junk code insertion, dynamic API resolution, and multi-layered encryption to evade static and dynamic analysis.

The loader checks the BeingDebugged flag in the Process Environment Block (PEB) to detect debuggers.

Additionally, it validates its filename for specific substrings (e.g., ess_) and requires multiple command-line arguments to proceed-a simple but effective method to thwart sandbox execution.

The junk code blocks are inserted to disrupt disassemblers. These non-executable instructions, such as meaningless stack operations and unreachable CALL instructions, force analysts to manually isolate legitimate code paths.

Critical strings, including C2 URLs and API names, are encrypted using XOR operations with 8-byte keys. The decryption routine dynamically reconstructs strings on the stack.

For example, the code snippet below demonstrates how the malware decrypts a 6-byte string using a hardcoded key (0x7EFFA11A3315E0BC):-

python encrypted = [0xE0, 0xE0, 0x24, 0x33, 0x1A, 0xA1] key = 0x7EFFA11A3315E0BC decrypted = bytearray() for i in range(6): decrypted_byte = (key >> (8 * (i % 8))) ^ encrypted[i] decrypted.append(decrypted_byte & 0xFF)

This approach ensures that strings remain hidden until execution, bypassing static signature-based detection.

TransferLoader uses two obfuscation methods to obscure control flow. The first calculates jump targets by subtracting hardcoded offsets from the current instruction address. For instance:-

assembly lea rax, loc_140016892 sub rax, 0x13CE1 ; Obfuscated jump offset jmp rax

The second method, used in embedded payloads, stores critical values in SIMD registers and injects redundant arithmetic operations to mask variable assignments.

This technique complicates tracing data flows, as registers are manipulated through bit-shifting and rotation before being used in subsequent operations.

TransferLoader represents a significant escalation in malware sophistication, combining modular payload delivery, decentralized C2 resilience, and layered obfuscation.

Zscaler’s cloud security platform has implemented detections for associated IOCs, including C2 servers like https://mainstomp[.]cloud/MDcMkjAxsLKsT and payload hashes such as b55ba0f869f64.... Cybersecurity teams are advised to monitor for unusual IPFS traffic and enforce strict API execution policies to mitigate risks.

How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers