FlagThis - #SmokeLoader

The Agenda ransomware group, also known as Qilin, has enhanced its attack capabilities by incorporating SmokeLoader and NETXLOADER into its campaigns. Trend Micro researchers discovered this shift, highlighting the group's ongoing evolution and increased sophistication. The group is actively targeting organizations across multiple sectors, including healthcare, technology, financial services, and telecommunications. These attacks are spanning across various geographical regions, with a primary focus on the US, the Netherlands, Brazil, India, and the Philippines, demonstrating a broad and aggressive targeting strategy.

The newly identified NETXLOADER plays a crucial role in these attacks by stealthily deploying malicious payloads, including the Agenda ransomware and SmokeLoader. NETXLOADER is a .NET-based loader protected by .NET Reactor 6, making it difficult to analyze. Its complexity is enhanced by the utilization of JIT hooking techniques, obfuscated method names, and AES-decrypted GZip payloads to evade detection, indicating a significant leap in malware delivery methods. SmokeLoader further contributes to the group's arsenal with its own set of evasion tactics, including virtualization/sandbox detection and process injection, which complicates attribution and defense efforts.

Qilin has emerged as a dominant ransomware group, leading in data leak disclosures in April 2025. This surge in activity is partly attributed to the group gaining affiliates from the RansomHub uncertainty. Cyble reported that Qilin claimed responsibility for 74 attacks in April, surpassing other groups in ransomware activity. The incorporation of NETXLOADER and SmokeLoader, coupled with their stealthy delivery methods, further solidifies Qilin's position as a formidable threat in the current ransomware landscape, posing a significant risk to organizations worldwide.


References :

• Virus Bulletin: Trend Micro researchers discovered that the Agenda ransomware group added SmokeLoader & NETXLOADER to its recent campaigns. Targets include healthcare, technology, financial services & telecommunications sectors in the US, the Netherlands, Brazil, India & the Philippines.
• securityonline.info: Agenda Ransomware Evolves with NETXLOADER and SmokeLoader in Global Campaigns
• www.trendmicro.com: Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
• The Hacker News: Qilin Ransomware Ranked Highest in April 2025 with Over 45 Data Leak Disclosures
• cyble.com: Cyble stated that Qilin gained affiliates from the RansomHub uncertainty, led all groups with 74 attacks claimed in April.
• redpiranha.net: Red Piranha stated that the threat group Qilin has been active for over one year or for multiple years and Qilin also Tool usage is going to be slightly outdated due to the time it takes incident response teams to wrap up an investigation, compile findings, and publish a report.
• MeatMutts: Qilin Ransomware Gang Targets Hamilton County Sheriff's Office

Classification:

• HashTags: #ransomware #malware #cyberattack
• Company: Trend Micro
• Target: healthcare, technology, financial services & telecommunications sectors
• Attacker: Qilin
• Product: SmokeLoader
• Feature: malware loader
• Malware: Agenda
• Type: Ransomware
• Severity: Major