TransferLoader Malware Enables Attackers to Execute Arbitrary Commands on Infected Systems

A formidable new malware loader, dubbed TransferLoader, has emerged as a significant cybersecurity threat, as detailed in a recent report by Zscaler ThreatLabz.

Active since at least February 2025, this sophisticated malware has been observed deploying multiple components, including a downloader, a backdoor, and a specialized loader for the backdoor module.

These components collectively enable attackers to execute arbitrary commands on compromised systems, posing a severe risk to organizations worldwide.

Notably, TransferLoader has been linked to the deployment of Morpheus ransomware, with a documented attack on an American law firm, highlighting its destructive potential in real-world scenarios.

Threat Identified by Zscaler ThreatLabz

TransferLoader’s design showcases a high level of technical sophistication, incorporating advanced anti-analysis techniques and code obfuscation to thwart reverse engineering efforts.

Its components employ methods such as dynamic resolution of Windows APIs through hashing algorithms, runtime string decryption using bitwise-XOR operations with unique 8-byte keys, and complex control flow obfuscation.

Two distinct obfuscation methods are utilized: the first, exclusive to TransferLoader, manipulates block addresses for execution jumps, while the second, used in embedded payloads, leverages SIMD registers for instruction handling with added junk code to hinder analysis.

Additionally, anti-VM and anti-debug mechanisms, like checking the BeingDebugged field in the Process Environment Block (PEB) and validating filenames against hardcoded substrings, further complicate detection and analysis.

The malware also modifies standard encryption processes, such as AES-CBC decryption with a custom key expansion, making automated decryption challenging for security tools.

Technical Sophistication and Evasion Tactics

The downloader component, one of the most prevalent payloads, retrieves additional malicious content from command-and-control (C2) servers via HTTPS GET requests, using headers like “Microsoft Edge/1.0” and custom identifiers, before decrypting and executing them with a hardcoded XOR key.

Meanwhile, the backdoor module serves as the core orchestrator, facilitating remote command execution and configuration updates, with a notable fallback to the decentralized InterPlanetary File System (IPFS) for C2 server updates if primary connections fail.

This resilience ensures sustained control over infected systems even under server takedown scenarios.

The backdoor supports both HTTPS and raw TCP communications, encrypting network packets with custom stream ciphers and validating integrity through checksums, adding layers of stealth to its operations.

TransferLoader’s persistence mechanisms are equally concerning, with the backdoor loader targeting processes like explorer.exe or wordpad.exe, employing COM hijacking for persistence via registry manipulations, and storing configuration data under registry keys like SOFTWAREMicrosoftPhoneConfig.

Its ability to execute remote shell commands, manipulate files, and collect detailed host information underscores the extensive control attackers gain over compromised environments.

Zscaler’s multilayered cloud security platform has responded robustly, detecting TransferLoader through sandbox analysis and assigning threat names like Win32.Downloader.TransferDownloader, ensuring comprehensive coverage against this evolving menace.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!