"Watch Out for Qilin: The Top Ransomware Group Deploying New Stealthy NETXLOADER"

Threat actors linked to the Qilin ransomware group have utilized SmokeLoader malware and a newly identified .NET-based loader, dubbed NETXLOADER, in attacks observed in November 2024. According to Trend Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl Camiling, and Neljorn Nathaniel Aguas, NETXLOADER plays a vital role in these operations, covertly deploying additional malware, including SmokeLoader and the Agenda ransomware.

Protected by .NET Reactor 6, NETXLOADER is highly obfuscated and resists analysis, making it challenging to detect or understand without dynamic execution and memory inspection. Its advanced concealment techniques include just-in-time (JIT) hooking, meaningless method names, and complex control flow obfuscation.

Qilin, also known as Agenda, has been active since July 2022. In 2023, Halcyon identified a more sophisticated version of the malware, calling it Qilin.B. The group has gained prominence in early 2025, with data from Group-IB revealing that the number of data breach disclosures on Qilin’s leak site has significantly increased. After averaging no more than 23 disclosures per month between July 2024 and January 2025, the numbers surged to 48 in February, 44 in March, and 45 in early April, positioning Qilin as the most active ransomware group in April 2025—surpassing Akira, Play, and Lynx.

This uptick is partly attributed to the shutdown of RansomHub, which was the second most prolific ransomware gang in 2024, targeting 38 victims in the financial sector from April 2024 to April 2025. RansomHub’s closure led many affiliates to join Qilin, bolstering its capabilities.

Qilin’s operations have primarily affected industries such as healthcare, technology, financial services, and telecommunications in countries like the U.S., Netherlands, Brazil, India, and the Philippines, as reported by Trend Micro in Q1 2025.

NETXLOADER functions by retrieving next-stage payloads from external domains (e.g., bloglake7[.]cfd) and deploying threats like SmokeLoader and Agenda ransomware. Initial access is often gained via phishing emails or compromised credentials, allowing attackers to drop NETXLOADER onto victim systems.

Once deployed, SmokeLoader uses anti-analysis techniques, including virtualization checks and sandbox evasion, while terminating pre-defined processes. It then connects to a command-and-control server to download NETXLOADER, which executes the Agenda ransomware using reflective DLL injection.

Trend Micro researchers emphasized that Agenda continues to evolve, enhancing its destructive capabilities. The ransomware now targets domain networks, mounted drives, storage systems, and VMware ESXi infrastructure, underlining the group's increasing sophistication and threat level.