The Agenda ransomware group (Qilin) ramped up attacks in early 2025, hitting key sectors worldwide with tools like NETXLOADER and SmokeLoader, Trend Micro reports.
Agenda Ransomware
The Agenda ransomware group, also known as Qilin, has intensified its activity since late 2024 by deploying a stealthy new tool called NETXLOADER. Protected by .NET Reactor 6, this loader uses heavy obfuscation, making it difficult to analyze and detect.
NETXLOADER delivers malware like Agenda ransomware and SmokeLoader directly into memory, bypassing traditional security tools using dynamic API calls and memory manipulation. It leverages deceptive domains such as bloglake7[.]cfd to distribute disguised payloads and uses randomized file names to appear legitimate.
The code is packed with confusing method names and hidden instructions, hooking into system libraries at runtime to execute its payload. Researchers who managed to deobfuscate it found AES-based decryption routines and memory execution using functions like VirtualAlloc and CreateThread.
SmokeLoader adds to the evasion, using anti-analysis tricks to detect virtual environments and debugging tools. It targets Windows Vista or newer systems and injects itself into explorer.exe for persistence and privilege escalation.
This combination of tools shows a strategic shift by Agenda, focusing on stealth, cross-platform compatibility through Rust, and custom packing methods to increase their chances of success across a wide range of targets.
Trend Micro’s Vision One platform has played a key role in detecting and stopping these threats, giving businesses vital threat intelligence and tools to stay ahead.
As Agenda evolves, organizations need strong security layers, strict access controls, and continuous monitoring to defend against these advanced attacks.
Leave A Comment