Menace actors with ties to the Qilin ransomware household have leveraged malware often known as SmokeLoader together with a beforehand undocumented .NET compiled loader codenamed NETXLOADER as a part of a marketing campaign noticed in November 2024.
“NETXLOADER is a brand new .NET-based loader that performs a vital position in cyber assaults,” Pattern Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl Camiling, and Neljorn Nathaniel Aguas mentioned in a Wednesday evaluation.
“Whereas hidden, it stealthily deploys extra malicious payloads, resembling Agenda ransomware and SmokeLoader. Protected by .NET Reactor 6, NETXLOADER is tough to research.”
Qilin, additionally known as Agenda, has been an energetic ransomware menace because it surfaced within the menace panorama in July 2022. Final 12 months, cybersecurity firm Halcyon found an improved model of the ransomware that it named Qilin.B.
Latest information shared by Group-IB exhibits that disclosures on Qilin’s information leak web site have greater than doubled since February 2025, making it the high ransomware group for April with 72 claimed victims, surpassing different gamers like Akira, Play, and Lynx.
“From July 2024 to January 2025, Qilin’s associates didn’t disclose greater than 23 firms monthly,” the Singaporean cybersecurity firm mentioned late final month. “Nonetheless, […] since February 2025 the quantity of disclosures have considerably elevated, with 48 in February, 44 in March and 45 within the first weeks of April.”
Qilin can be mentioned to have benefited from an inflow of associates following RansomHub’s abrupt shutdown initially of final month. In accordance with Flashpoint, RansomHub was the second-most energetic ransomware group in 2024, claiming 38 victims within the monetary sector between April 2024 and April 2025.
“Agenda ransomware exercise was primarily noticed in healthcare, know-how, monetary companies, and telecommunications sectors throughout the U.S., the Netherlands, Brazil, India, and the Philippines,” in accordance with Pattern Micro’s information from the primary quarter of 2025.
NETXLOADER, the cybersecurity firm mentioned, is a extremely obfuscated loader that is designed to launch next-stage payloads retrieved from exterior servers (e.g., “bloglake7[.]cfd”), that are then used to drop SmokeLoader and Agenda ransomware.
Protected by .NET Reactor model 6, it additionally incorporates a bevy of methods to bypass conventional detection mechanisms and resist evaluation efforts, resembling using just-in-time (JIT) hooking strategies, and seemingly meaningless technique names, and management circulation obfuscation.
“The operators’ use of NETXLOADER is a serious leap ahead in how malware is delivered,” Pattern Micro mentioned. “It makes use of a closely obfuscated loader that hides the precise payload, that means you may’t know what it really is with out executing the code and analyzing it in reminiscence. Even string-based evaluation will not assist as a result of the obfuscation scrambles the clues that will usually reveal the payload’s identification.”
Assault chains have been discovered to leverage legitimate accounts and phishing as preliminary entry vectors to drop NETXLOADER, which then deploys SmokeLoader on the host. The SmokeLoader malware proceeds to carry out a collection of steps to carry out virtualization and sandbox evasion, whereas concurrently terminating a hard-coded record of working processes.
Within the last stage, SmokeLoader establishes contact with a command-and-control (C2) server to fetch NETXLOADER, which launches the Agenda ransomware utilizing a approach often known as reflective DLL loading.
“The Agenda ransomware group is frequently evolving by including new options designed to trigger disruption,” the researchers mentioned. “Its numerous targets embody area networks, mounted units, storage techniques, and VCenter ESXi.”
