Threat actors with ties to the Qilin ransomware family have leveraged malware known as SmokeLoader along with a previously undocumented .NET compiled loader codenamed NETXLOADER as part of a campaign observed in November 2024.
“NETXLOADER is a new .NET-based loader that plays a critical role in cyber attacks,” Trend Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl Camiling, and Neljorn Nathaniel Aguas said in a Wednesday analysis.
“While hidden, it stealthily deploys additional malicious payloads, such as Agenda ransomware and SmokeLoader. Protected by .NET Reactor 6, NETXLOADER is difficult to analyze.”
Qilin, also called Agenda, has been an active ransomware threat since it surfaced in the threat landscape in July 2022. Last year, cybersecurity company Halcyon discovered an improved version of the ransomware that it named Qilin.B.
Recent data shared by Group-IB shows that disclosures on Qilin’s data leak site have more than doubled since February 2025, making it the top ransomware group for April, surpassing other players like Akira, Play, and Lynx.
“From July 2024 to January 2025, Qilin’s affiliates did not disclose more than 23 companies per month,” the Singaporean cybersecurity company said late last month. “However, […] since February 2025 the amount of disclosures have significantly increased, with 48 in February, 44 in March and 45 in the first weeks of April.”
Qilin is also said to have benefited from an influx of affiliates following RansomHub’s abrupt shutdown at the start of last month. According to Flashpoint, RansomHub was the second-most active ransomware group in 2024, claiming 38 victims in the financial sector between April 2024 and April 2025.
“Agenda ransomware activity was primarily observed in healthcare, technology, financial services, and telecommunications sectors across the U.S., the Netherlands, Brazil, India, and the Philippines,” according to Trend Micro’s data from the first quarter of 2025.
NETXLOADER, the cybersecurity company said, is a highly obfuscated loader that’s designed to launch next-stage payloads retrieved from external servers (e.g., “bloglake7[.]cfd”), which are then used to drop SmokeLoader and Agenda ransomware.
Protected by .NET Reactor version 6, it also incorporates a bevy of tricks to bypass traditional detection mechanisms and resist analysis efforts, such as the use of just-in-time (JIT) hooking techniques, and seemingly meaningless method names, and control flow obfuscation.
“The operators’ use of NETXLOADER is a major leap forward in how malware is delivered,” Trend Micro said. “It uses a heavily obfuscated loader that hides the actual payload, meaning you can’t know what it truly is without executing the code and analyzing it in memory. Even string-based analysis won’t help because the obfuscation scrambles the clues that would normally reveal the payload’s identity.”
Attack chains have been found to leverage valid accounts and phishing as initial access vectors to drop NETXLOADER, which then deploys SmokeLoader on the host. The SmokeLoader malware proceeds to perform a series of steps to perform virtualization and sandbox evasion, while simultaneously terminating a hard-coded list of running processes.
In the final stage, SmokeLoader establishes contact with a command-and-control (C2) server to fetch NETXLOADER, which launches the Agenda ransomware using a technique known as reflective DLL loading.
“The Agenda ransomware group is continually evolving by adding new features designed to cause disruption,” the researchers said. “Its diverse targets include domain networks, mounted devices, storage systems, and VCenter ESXi.”
