TransferLoader Malware Unmasked: IPFS-Enabled Loader Deploys Ransomware and Backdoors with Obfuscation Precision
Ddos 
Zscaler ThreatLabz has uncovered a new and dangerous malware loader dubbed TransferLoader, actively used in the wild since at least February 2025. This advanced modular threat is not just another dropper—it’s a highly obfuscated, anti-analysis malware platform delivering payloads ranging from stealthy backdoors to Morpheus ransomware, with attacks observed targeting an American law firm.
“TransferLoader is a new malware loader… with multiple components including a downloader, a backdoor, and a loader for the backdoor,” ThreatLabz writes.
The downloader retrieves malicious payloads via HTTPS using custom headers and decrypts them using a bitwise-XOR loop. It may display a decoy PDF or silently restart the Explorer process to hide its execution.
“The primary goal of the downloader is to download an additional payload from a C2 server and execute a decoy file,” the analysis explains.
Specialized for executing the backdoor in memory, the backdoor loader component reads config data, ensures execution context (e.g., inside explorer.exe or wordpad.exe), and sets up COM hijacking.
It also uses named pipes for configuration commands and can receive directives to update the C2 server, set sleep timers, or execute arbitrary PE files in memory.
The main of the operation, the backdoor performs tasks including:
- Executing remote shell commands
- File upload/download
- System recon and data collection
- Self-removal and cleanup
When the primary C2 is unavailable, it reaches out to InterPlanetary File System (IPFS) to retrieve a new C2 location.
“The backdoor utilizes the decentralized InterPlanetary File System (IPFS) peer-to-peer platform as a fallback channel for updating the command-and-control (C2) server,” the analysis notes.
It supports both TCP and HTTP, encrypting communication using a custom stream cipher—complete with buggy block swapping and nested encryption layers.
TransferLoader is designed to evade both static and dynamic analysis:
- Junk code disrupts disassembly
- Decryption routines rely on custom Base32 schemes and AES variants
- Command-line arguments and process names are validated before execution
- Debugging detection via BeingDebugged in the Process Environment Block (PEB)
“TransferLoader and its payloads contain anti-analysis methods… including junk code blocks, dynamic API resolution, and runtime string decryption.”
Though Morpheus ransomware was not deeply analyzed in the report, its delivery through TransferLoader implies the loader is evolving into a multi-purpose delivery platform.
“Considering TransferLoader’s consistent use in deploying additional payloads including ransomware, we anticipate that threat actors will continue to rely on it in future attacks,” the analysis concludes.
Donate