Risk actors with ties to the Qilin ransomware household have leveraged malware often known as SmokeLoader together with a beforehand undocumented .NET compiled loader codenamed NETXLOADER as a part of a marketing campaign noticed in November 2024.
“NETXLOADER is a brand new .NET-based loader that performs a important function in cyber assaults,” Pattern Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl Camiling, and Neljorn Nathaniel Aguas said in a Wednesday evaluation.
“Whereas hidden, it stealthily deploys further malicious payloads, corresponding to Agenda ransomware and SmokeLoader. Protected by .NET Reactor 6, NETXLOADER is troublesome to investigate.”
Qilin, additionally referred to as Agenda, has been an active ransomware threat because it surfaced within the risk panorama in July 2022. Final yr, cybersecurity firm Halcyon found an improved model of the ransomware that it named Qilin.B.
Current knowledge shared by Group-IB exhibits that disclosures on Qilin’s knowledge leak website have greater than doubled since February 2025, making it the top ransomware group for April, surpassing different gamers like Akira, Play, and Lynx.
“From July 2024 to January 2025, Qilin’s associates didn’t disclose greater than 23 corporations per thirty days,” the Singaporean cybersecurity firm said late final month. “Nonetheless, […] since February 2025 the quantity of disclosures have considerably elevated, with 48 in February, 44 in March and 45 within the first weeks of April.”
Qilin can also be stated to have benefited from an inflow of associates following RansomHub’s abrupt shutdown initially of final month. In accordance with Flashpoint, RansomHub was the second-most active ransomware group in 2024, claiming 38 victims within the monetary sector between April 2024 and April 2025.
“Agenda ransomware exercise was primarily noticed in healthcare, expertise, monetary providers, and telecommunications sectors throughout the U.S., the Netherlands, Brazil, India, and the Philippines,” in accordance with Pattern Micro’s knowledge from the primary quarter of 2025.
NETXLOADER, the cybersecurity firm stated, is a extremely obfuscated loader that is designed to launch next-stage payloads retrieved from exterior servers (e.g., “bloglake7[.]cfd”), that are then used to drop SmokeLoader and Agenda ransomware.
Protected by .NET Reactor model 6, it additionally incorporates a bevy of methods to bypass conventional detection mechanisms and resist evaluation efforts, corresponding to the usage of just-in-time (JIT) hooking methods, and seemingly meaningless methodology names, and management circulate obfuscation.
“The operators’ use of NETXLOADER is a serious leap ahead in how malware is delivered,” Pattern Micro stated. “It makes use of a closely obfuscated loader that hides the precise payload, which means you possibly can’t know what it really is with out executing the code and analyzing it in reminiscence. Even string-based evaluation will not assist as a result of the obfuscation scrambles the clues that may usually reveal the payload’s identification.”
Assault chains have been discovered to leverage legitimate accounts and phishing as preliminary entry vectors to drop NETXLOADER, which then deploys SmokeLoader on the host. The SmokeLoader malware proceeds to carry out a sequence of steps to carry out virtualization and sandbox evasion, whereas concurrently terminating a hard-coded checklist of working processes.
Within the closing stage, SmokeLoader establishes contact with a command-and-control (C2) server to fetch NETXLOADER, which launches the Agenda ransomware utilizing a technique often known as reflective DLL loading.
“The Agenda ransomware group is regularly evolving by including new options designed to trigger disruption,” the researchers stated. “Its various targets embrace area networks, mounted units, storage methods, and VCenter ESXi.”
Source link