TransferLoader Malware
Security researchers are drawing connections between notorious actors behind the RomCom RAT and a malware loader dubbed TransferLoader. This campaign, which has targeted entities with espionage and ransomware attacks, highlights sophisticated techniques and overlapping infrastructures that demand close scrutiny.
Table of Contents
Two Threat Actor Clusters: TA829 and UNK_GreenSec
Cybersecurity researchers have attributed TransferLoader-related activity to two primary threat actor groups:
- TA829, also tracked under aliases such as RomCom RAT, CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu.
- UNK_GreenSec, a lesser-known cluster operating in parallel with similar tactics.
TA829 is particularly notable for its hybrid operations, combining espionage and financially motivated attacks. This Russia-aligned group has previously leveraged zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows to deploy RomCom RAT, targeting high-value global organizations.
TransferLoader: Emergence and Role in Malware Campaigns
TransferLoader was first identified in February 2025 during a campaign involving Morpheus ransomware, a rebranded version of HellCat ransomware. The malware was used against an unnamed U.S.-based law firm. Unlike RomCom, TransferLoader primarily serves as a stealthy delivery mechanism, enabling the deployment of additional malicious payloads like Metasploit and Morpheus.
TransferLoader’s mission is simple: remain undetected and deliver further malware.
Exploiting REM Proxy Infrastructure
Both TA829 and UNK_GreenSec rely on REM Proxy services, which are often hosted on compromised MikroTik routers. These proxies are used to route malicious traffic, disguising its true origin. The groups use this infrastructure to:
- Send phishing emails via freemail services (e.g., Gmail, ukr.net)
- Relay traffic to hide upstream activity
- Launch campaigns using both newly created and compromised email accounts
Researchers suspect the use of email builder tools that mass-generate sender addresses like ximajazehox333@gmail.com and hannahsilva1978@ukr.net for phishing distribution.
Phishing Mechanics and Payload Delivery
The phishing messages sent by both clusters often contain links embedded in the email body or PDF attachments. Victims who click these links are subjected to a chain of redirections via Rebrandly, ultimately landing on spoofed Google Drive or Microsoft OneDrive pages. These redirects include mechanisms to:
- Bypass sandbox environments
- Filter out systems not of interest
- Deliver different final payloads depending on the threat group
Divergent Attack Paths:
- UNK_GreenSec uses this route to deploy TransferLoader
- TA829 redirects targets to SlipScreen malware
Shared Tools and Infrastructure
Both actor groups demonstrate overlapping toolsets and infrastructure choices:
- Use of PuTTY’s PLINK utility for establishing SSH tunnels
- Hosting malicious utilities on IPFS (InterPlanetary File System) services
- Leveraging dynamic PHP-based redirection endpoints for traffic filtering
These shared methods suggest possible coordination or mutual adoption of effective tactics.
Social Engineering Themes and Delivery Tactics
Campaigns involving TransferLoader often masquerade as job opportunity emails, luring victims with links claiming to lead to PDF resumes. In reality, the link triggers a download of TransferLoader hosted on IPFS webshares.
Key Technical Highlights of TransferLoader Operations
Evades Detection – Uses redirection, filtering, and decentralized hosting to bypass traditional defenses.
Payload Delivery – Acts as a loader for more dangerous malware, including ransomware and remote access tools.
Differentiated Techniques – Employs unique redirect structures (JavaScript to PHP endpoints) to support dynamic content delivery.
Conclusion: Understanding the TransferLoader Threat
TransferLoader represents a significant threat as a stealthy loader capable of enabling high-impact attacks. Its use by both UNK_GreenSec and TA829 illustrates how cybercriminal groups continue to innovate, share tools, and exploit decentralized infrastructure to avoid detection and achieve their goals.
Indicators of the TransferLoader threat include:
- Use of REM Proxy services
- Email lures referencing job applications or resumes
- Redirect chains involving Rebrandly links
- Payloads hosted on IPFS-based platforms
Organizations must remain vigilant, implement robust email and web filtering, and continuously monitor for abnormal network behavior linked to these tactics.
