{ "type": "URL", "indicator": "https://baza.com/loader.bin", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://baza.com/loader.bin", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4068460909, "indicator": "https://baza.com/loader.bin", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "682549c464fc8d3ea6a57b4d", "name": "Technical Analysis of TransferLoader", "description": "TransferLoader is a newly identified malware loader active since February 2025. It comprises multiple components including a downloader, backdoor, and specialized loader. The malware employs various anti-analysis techniques and code obfuscation to hinder reverse engineering. TransferLoader has been observed delivering Morpheus ransomware. Its backdoor module enables execution of arbitrary commands on compromised systems and uses the InterPlanetary File System as a fallback for C2 server updates. The malware utilizes both HTTPS and raw TCP communication methods, with a unique encryption process for network packets. TransferLoader's consistent use in deploying additional payloads suggests it will continue to be a threat in future attacks.", "modified": "2025-05-15T20:18:25.876000", "created": "2025-05-15T01:56:20.385000", "tags": [ "downloader", "backdoor", "anti-analysis", "transferloader", "morpheus", "ipfs", "c2", "ransomware", "obfuscation" ], "references": [ "https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TransferLoader", "display_name": "TransferLoader", "target": null }, { "id": "Morpheus", "display_name": "Morpheus", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 4 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386771, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689dbd6fc683062764f4f07c", "name": "EbeeAugust2025 Pt2", "description": "", "modified": "2025-10-02T13:04:51.166000", "created": "2025-08-14T10:41:51.150000", "tags": [], "references": [ "Aug-Week2.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 476, "FileHash-SHA1": 551, "FileHash-SHA256": 521, "URL": 92, "domain": 216, "email": 2, "hostname": 68 }, "indicator_count": 1926, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader", "Aug-Week2.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Morpheus", "Transferloader" ], "industries": [ "Legal" ], "unique_indicators": 7 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 1010 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/baza.com", "whois": "http://whois.domaintools.com/baza.com", "domain": "baza.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "682549c464fc8d3ea6a57b4d", "name": "Technical Analysis of TransferLoader", "description": "TransferLoader is a newly identified malware loader active since February 2025. It comprises multiple components including a downloader, backdoor, and specialized loader. The malware employs various anti-analysis techniques and code obfuscation to hinder reverse engineering. TransferLoader has been observed delivering Morpheus ransomware. Its backdoor module enables execution of arbitrary commands on compromised systems and uses the InterPlanetary File System as a fallback for C2 server updates. The malware utilizes both HTTPS and raw TCP communication methods, with a unique encryption process for network packets. TransferLoader's consistent use in deploying additional payloads suggests it will continue to be a threat in future attacks.", "modified": "2025-05-15T20:18:25.876000", "created": "2025-05-15T01:56:20.385000", "tags": [ "downloader", "backdoor", "anti-analysis", "transferloader", "morpheus", "ipfs", "c2", "ransomware", "obfuscation" ], "references": [ "https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TransferLoader", "display_name": "TransferLoader", "target": null }, { "id": "Morpheus", "display_name": "Morpheus", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 4 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386771, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689dbd6fc683062764f4f07c", "name": "EbeeAugust2025 Pt2", "description": "", "modified": "2025-10-02T13:04:51.166000", "created": "2025-08-14T10:41:51.150000", "tags": [], "references": [ "Aug-Week2.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 476, "FileHash-SHA1": 551, "FileHash-SHA256": 521, "URL": 92, "domain": 216, "email": 2, "hostname": 68 }, "indicator_count": 1926, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://baza.com/loader.bin", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://baza.com/loader.bin", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780357435.9498768 }