Recent cyber threats involve the Qilin ransomware family using sophisticated malware such as SmokeLoader and the new .NET-based loader, NETXLOADER, to deploy malicious payloads. This campaign demonstrates advanced obfuscation techniques and evolving tactics targeting various sectors worldwide. (Affected: organizations across healthcare, technology, financial services, telecommunications, and sectors targeted by Qilin ransomware)
Keypoints :
- Threat actors linked to Qilin ransomware utilize malware like SmokeLoader and the newly identified NETXLOADER for attack campaigns.
- NETXLOADER is a highly obfuscated .NET-based loader protected by .NET Reactor 6, designed to bypass detection and analysis.
- It stealthily deploys payloads such as SmokeLoader and Agenda ransomware by retrieving them from external servers.
- The attack chain often begins with phishing or valid account compromise to drop NETXLOADER and establish malware execution.
- SmokeLoader employs techniques like virtualization evasion and process termination to evade detection and establish command-and-control contact.
- Agenda, also known as Qilin, has seen increased disclosures and targets sectors including healthcare, finance, and technology across multiple countries.
- Following the shutdown of RansomHub, Qilinβs affiliate activity surged, making it a leading ransomware threat in 2025.
Read More: https://thehackernews.com/2025/05/qilin-leads-april-2025-ransomware-spike.html