Stage 1: Initial Access and Redirect Evasion
The attack begins with targeted spearphishing campaigns containing malicious PDF attachments or links designed to mimic legitimate business correspondence. When a user interacts with these links, they are routed through dynamic redirection platforms, such as Rebrandly, to bypass basic email security filters. The victim is then directed to highly convincing, spoofed landing pages designed to look like Google Drive or Microsoft OneDrive interfaces. These malicious pages analyze the victim environment and deliver the primary TransferLoader downloader binary to human targets while actively filtering out automated security sandbox environments to avoid detection.
Stage 2: Persistent Infiltration and C2 Infrastructure
Once executed, the TransferLoader downloader retrieves an encrypted secondary payload via secure HTTPS channels, decrypts it in memory, and presents a decoy document to the user to maintain the illusion of legitimacy. Persistence is established through advanced evasion techniques, specifically Component Object Model (COM) hijacking. By modifying specific registry keys within the user registry hive (specifically under HKCU\Software\Classes\CLSID), the malware ensures execution survival without placing indicators in standard Windows Startup registry keys.
Stage 3: Lateral Movement and Ransomware Execution
After establishing a persistent backdoor, the threat actors move laterally through the enterprise network, targeting administrative systems, SFTP storage, and hypervisor management consoles. In the incident at the leading Indian asset management firm, this deep network penetration enabled the actors to disable critical endpoint security management platforms and exfiltrate 680 GB of sensitive documents.
The final stage of the attack involves executing the Morpheus ransomware binary. The payload is a compact 18KB, 64-bit Windows Portable Executable (PE) that requires a specific, target-defined folder path as an input argument during execution. To ensure system stability while encryption takes place, the binary avoids system-critical folders such as System32, and skips standard system files like DLL, SYS, EXE, DRV, COM, and CAT files.
Significantly, the Morpheus payload employs a specialized evasion strategy: it does not alter file extensions or modify the metadata of targeted files during encryption. This silent file-content encryption is specifically engineered to bypass traditional Endpoint Detection and Response (EDR) agents that rely heavily on monitoring mass file-renaming behavior to flag ransomware outbreaks.