Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

TransferLoader

TransferLoader is a malware loader/downloader observed in campaigns during February 2025 and later, and publicly documented by Zscaler and Proofpoint. It has been linked to a threat cluster tracked as UNK_GreenSec, with Proofpoint noting significant infrastructure and tradecraft overlap between UNK_GreenSec and the Russia-linked TA829/RomCom activity cluster, although the exact relationship remains unconfirmed. Campaigns distributing TransferLoader commonly began with phishing emails, including fake candidate/job-seeker lures sent to companies, and used plaintext messages, freemail accounts, Rebrandly redirectors, and landing pages spoofing OneDrive or Google Drive. Proofpoint also reported later variants using AWS S3 links that redirected to compromised WordPress sites or fake hiring domains. The activity targeted North America, with UNK_GreenSec running four TransferLoader campaigns in the first two weeks of February 2025 and sending hundreds to thousands of messages to broader target sets.

Technically, TransferLoader has been described as using XOR-encrypted strings, custom Base32 decoding, a custom AES implementation, and dynamically resolved 64-bit API hashes to hinder analysis and detection. It also checks that its filename contains expected lure-related strings such as "Resume" or "Professional" and "2025" before executing. Proofpoint reported that both TA829 and UNK_GreenSec used compromised MikroTik routers as REM Proxy infrastructure, PuTTY PLINK for SSH tunneling, and IPFS services in follow-on activity; TransferLoader campaigns specifically shared these broader operational characteristics with TA829-linked campaigns.

TransferLoader has been observed as an initial-stage loader that can deploy additional payloads. Proofpoint observed it dropping Metasploit, and third-party researchers reported infections leading to Morpheus ransomware; other reporting cited TransferLoader later launching Morpheus and Metasploit ransomware strains. Proofpoint assessed Morpheus is likely an updated version of HellCat ransomware. High-confidence indicators and behavioral markers directly mentioned in the reporting include filename checks for lure terms, use of signed executables spoofing PDF readers in related UNK_GreenSec campaigns, AWS S3 and compromised WordPress/fake hiring domains in updated chains, and shared use of REM Proxy infrastructure on compromised MikroTik routers with SSH exposed on port 51922.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNK_GreenSec

...attacks by UNK_GreenSec led to the spread of the TransferLoader malware, which later launches the Morpheus and Metasploit ransomware strains.

via scworldscworld.com
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Malware loader associated with a cluster tracked as UNK_GreenSec; used to deliver additional payloads.

Read more
bank info securityNews
Jul 3, 2025
Breach Roundup: Phony Chinese Sites Mimic Retail Brands

Malware used as a payload in phishing-driven campaigns attributed to UNK_GreenSec; delivered via redirect links/PDF lures and supported by infrastructure using REM Proxy services via compromised MikroTik routers and sandbox-evasion filtering.

Read more
scworldNews
Jul 2, 2025
TA829, UNK_GreenSec malware campaigns underpinned by same infrastructure

Loader used by UNK_GreenSec that subsequently launches ransomware payloads (Morpheus, Metasploit).

Read more
proofpoint threat insight blogNews
Jun 30, 2025
10 Things I Hate About Attribution: RomCom vs. TransferLoader

TransferLoader is a loader used by UNK_GreenSec to evade detection and load additional payloads. It checks for specific filename patterns, uses custom encryption and API resolution, and has been observed dropping Metasploit and Morpheus ransomware.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.