Threat actors with connections do The Ransomware family leverages the previously undocumented .NET-compiled Loader CodeNead NetxLoader, known as Smokeloader, as part of a campaign observed in November 2024.
“Netxloader is a new .NET-based loader that plays a key role in cyberattacks,” Trend Micro researchers Jacob Santos, Raymart Yanbot, John Reinienabat, Sarah Pearl Camilling and Nell Joan Nathaniel Aguas said in an analysis Wednesday.
“While hidden, it secretly deploys additional malicious payloads such as agenda ransomware and smoke loaders. NetxLoaders protected by .NET Reactor 6 are difficult to analyze.”
Qilin, also known as the agenda, has been an aggressive ransomware threat since it emerged in the threat landscape in July 2022. Last year, cybersecurity company Halcyon discovered an improved version of the ransomware named Qilin.B.
Recent data shared by Group-IB shows that Qilin’s data leak site disclosure has more than doubled since February 2025, becoming the top ransomware group for April, attracting 72 victims, surpassing other players such as Akira, Play and Lynx.
“From July 2024 to January 2025, Qilin affiliates did not disclose more than 23 companies per month,” the Singapore cybersecurity company said later last month. “However (…) the volume of disclosure has increased significantly since February 2025, with 48 in February, 44 in March and 45 in April.”
It is also said that Giraffe benefited from an influx of affiliate marketing following a sharp shutdown of Ransom Hub earlier last month. According to Flashpoint, Ransomhub is the second most active ransomware group in 2024, claiming 38 casualties in the financial sector between April 2024 and April 2025.
“Agenda ransomware activity was observed primarily in the healthcare, technology, financial services and telecommunications sectors,” according to Trend Micro data in the first quarter of 2025.
Netxloader is a highly obfuscated loader designed to launch the next stage payload obtained from an external server (such as “Bloglake7(.)CFD” and is used to drop smoke loaders and agenda ransomware.
Protected by .NET Reactor Version 6, it incorporates numerous tricks to bypass traditional detection mechanisms, resisting analytical efforts such as the use of just-in-time (JIT) hooking techniques, seemingly meaningless method names, and cause of control flow.
“Using NetxLoader operators is a huge leap in how malware is delivered,” Trend Micro said. “We’re using a heavily obfuscated loader that hides the actual payload. This means we can’t know what it really is without running the code and analyzing it in memory. Even string-based analysis is useless as obfuscation usually scrambles cues that reveal the identity of the payload.”
The attack chain is known to use valid accounts and phishing as initial access vectors to drop NetXLoader, deploying the Smoker to the host. The Smokeloader malware performs a series of steps to perform virtualization and sandbox avoidance, and terminates the hard coding list of running processes at the same time.
In the final stage, Smokeloader establishes contact with the Command and Control (C2) server to obtain the NetxLoader and launches the agenda ransomware using a technique known as reflective DLL loading.
“The Agenda Ransomware Group is continuously evolving by adding new features designed to cause confusion,” the researchers said. “Its diverse targets include domain networks, mounted devices, storage systems, and vCenter ESXI.”
