The Agenda ransomware group, also known as Qilin, has intensified its cyber offensive in early 2025 by deploying a sophisticated campaign leveraging SmokeLoader and introducing a novel .NET-based malware loader dubbed NETXLOADER.
Security analysts have attributed increased risk and persistence to these developments, particularly as Agenda continues to adapt its toolkit and expand its sectoral reach into healthcare, technology, financial services, and telecommunications across the United States, the Netherlands, Brazil, India, and the Philippines.
Sophistication of Threat Campaigns
First identified in July 2022, Agenda ransomware has demonstrated continual evolution, transitioning its main ransomware payload from Go to Rust while augmenting it with advanced remote execution capabilities, improved lateral movement, and enhanced evasion features.
The recent campaigns observed by Trend Micro reveal that Agenda’s operators are coupling their ransomware with multi-stage loaders to maximize stealth and persistence.
Central to these recent attacks is NETXLOADER, a .NET-compiled loader heavily protected with .NET Reactor 6, which thwarts static analysis and reverse engineering through control flow obfuscation, anti-tamper, and anti-disassembly mechanisms.
NETXLOADER’s modus operandi involves dynamically loading encrypted assemblies and leveraging reflection to invoke obfuscated methods at runtime.
This approach, together with JIT (Just-In-Time) hooking via the clrjit.dll compileMethod() API, enables payloads to be injected directly into memory, bypassing conventional security controls and complicating forensic examination.
Obfuscation and Memory Injection Techniques Complicate Detection and Response
The distribution infrastructure supporting these campaigns utilizes disposable domains with low-reputation top-level domains such as .cfd and .xyz.
These domains, crafted to mimic benign blog-related services, are systematically rotated to evade takedowns and maintain operational integrity.
Executable filenames associated with the attacks follow an obfuscation strategy, employing pseudo-random names at the initial stage and subsequently normalizing names post-deployment (e.g., rh10j0n.exe → rh111.exe).
This tactic further masks the true nature of the files from defenders and links are not hardcoded to specific payloads, allowing flexibility in what malware is ultimately delivered.
During execution, NETXLOADER employs AES decryption to extract payload binaries, decompresses them using GZipStream, and allocates memory using Windows API calls such as VirtualAlloc and VirtualProtect.
Execution is handed over to the payload via a newly spawned thread, with the loader terminating itself after successful deployment to minimize footprint.
In the analyzed campaigns, both Agenda ransomware and SmokeLoader, a notorious malware loader and infostealer, were delivered using this method.
SmokeLoader, in turn, demonstrates its own layered obfuscation and defense evasion tactics, including anti-debugging, anti-VM, and process injection mechanisms.
Notably, it implements execution guardrails by terminating if it detects Russian or Ukrainian keyboard layouts and only executes on Windows Vista or later systems.
Its process and window discovery routines target commonly used analysis and debugging tools by name hash, terminating these processes to hinder forensic investigation and incident response.
Communication with command-and-control (C2) infrastructure is secured through encrypted POST requests, with payloads obfuscated using RC4.
Despite receiving HTTP 404 responses, the malware parses these responses for embedded commands.
Furthermore, SmokeLoader acts as a delivery vector for the final-stage ransomware payload, using DLL-reflective loading to execute the Agenda payload directly in memory without writing to disk, making detection by traditional antivirus solutions extremely challenging.
The adoption of NETXLOADER and the expanded use of custom packing and obfuscation strategies signal a marked increase in the technical sophistication of Agenda-linked campaigns.
The modular nature of the loader means that future campaigns could pivot to deliver different types of malware based on attacker objectives, further complicating attribution and response.
Given the ongoing enhancements in evasion and delivery mechanisms, security experts recommend a multi-layered defense strategy.
This includes minimizing administrative privileges, ensuring regular patching and endpoint scanning, adopting advanced behavioral analytics, and implementing robust data backup protocols.
Continuous user education to thwart social engineering, along with proactive monitoring for anomalous script execution or outbound network connections, is essential in countering such highly dynamic threats.
Organizations leveraging endpoint detection and response (EDR) tools with memory analysis and sandboxing capabilities stand the best chance of early detection and mitigation in the face of the Agenda group’s increasingly sophisticated operations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
