Menace actors with ties to the Qilin ransomware household have leveraged malware generally known as SmokeLoader together with a beforehand undocumented .NET compiled loader codenamed NETXLOADER as a part of a marketing campaign noticed in November 2024.
“NETXLOADER is a brand new .NET-based loader that performs a vital function in cyber assaults,” Development Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl Camiling, and Neljorn Nathaniel Aguas mentioned in a Wednesday evaluation.
“Whereas hidden, it stealthily deploys extra malicious payloads, reminiscent of Agenda ransomware and SmokeLoader. Protected by .NET Reactor 6, NETXLOADER is troublesome to research.”
Qilin, additionally referred to as Agenda, has been an lively ransomware menace because it surfaced within the menace panorama in July 2022. Final 12 months, cybersecurity firm Halcyon found an improved model of the ransomware that it named Qilin.B.
Current information shared by Group-IB exhibits that disclosures on Qilin’s information leak website have greater than doubled since February 2025, making it the high ransomware group for April, surpassing different gamers like Akira, Play, and Lynx.
“From July 2024 to January 2025, Qilin’s associates didn’t disclose greater than 23 corporations per 30 days,” the Singaporean cybersecurity firm mentioned late final month. “Nevertheless, […] since February 2025 the quantity of disclosures have considerably elevated, with 48 in February, 44 in March and 45 within the first weeks of April.”
Qilin can also be mentioned to have benefited from an inflow of associates following RansomHub’s abrupt shutdown initially of final month. In accordance with Flashpoint, RansomHub was the second-most lively ransomware group in 2024, claiming 38 victims within the monetary sector between April 2024 and April 2025.
“Agenda ransomware exercise was primarily noticed in healthcare, expertise, monetary providers, and telecommunications sectors throughout the U.S., the Netherlands, Brazil, India, and the Philippines,” based on Development Micro’s information from the primary quarter of 2025.
NETXLOADER, the cybersecurity firm mentioned, is a extremely obfuscated loader that is designed to launch next-stage payloads retrieved from exterior servers (e.g., “bloglake7[.]cfd”), that are then used to drop SmokeLoader and Agenda ransomware.
Protected by .NET Reactor model 6, it additionally incorporates a bevy of tips to bypass conventional detection mechanisms and resist evaluation efforts, reminiscent of using just-in-time (JIT) hooking methods, and seemingly meaningless technique names, and management circulation obfuscation.
“The operators’ use of NETXLOADER is a serious leap ahead in how malware is delivered,” Development Micro mentioned. “It makes use of a closely obfuscated loader that hides the precise payload, that means you may’t know what it actually is with out executing the code and analyzing it in reminiscence. Even string-based evaluation will not assist as a result of the obfuscation scrambles the clues that may usually reveal the payload’s id.”
Assault chains have been discovered to leverage legitimate accounts and phishing as preliminary entry vectors to drop NETXLOADER, which then deploys SmokeLoader on the host. The SmokeLoader malware proceeds to carry out a collection of steps to carry out virtualization and sandbox evasion, whereas concurrently terminating a hard-coded checklist of working processes.
Within the closing stage, SmokeLoader establishes contact with a command-and-control (C2) server to fetch NETXLOADER, which launches the Agenda ransomware utilizing a method generally known as reflective DLL loading.
“The Agenda ransomware group is regularly evolving by including new options designed to trigger disruption,” the researchers mentioned. “Its numerous targets embody area networks, mounted gadgets, storage methods, and VCenter ESXi.”
