Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks in the first quarter of 2025, targeting critical sectors like healthcare, technology, financial services, and telecommunications across the US, the Netherlands, Brazil, India, and the Philippines.

According to a detailed analysis by Trend Micro, the group has evolved its arsenal by integrating a newly identified .NET-based loader named NETXLOADER alongside the notorious SmokeLoader.

This strategic advancement, first observed in November 2024, has heightened the risk of sensitive data theft and device compromise due to the stealthy nature of these tools.

NETXLOADER, protected by .NET Reactor 6, employs sophisticated obfuscation techniques such as control flow obfuscation and JIT hooking, rendering static analysis nearly impossible and complicating reverse engineering efforts.

This loader dynamically deploys malicious payloads like Agenda ransomware and SmokeLoader directly into memory, bypassing traditional detection mechanisms through dynamic API calls and memory manipulation.

Technical Sophistication and Evasion Tactics Unveiled

The technical prowess of NETXLOADER lies in its intricate design, utilizing a sprawling infrastructure of malicious domains with deceptive naming conventions to evade suspicion.

Domains such as bloglake7[.]cfd and mxblog77[.]cfd serve as transient hubs for payload distribution, often mimicking benign services while delivering executables with pseudo-random names like rh10j0n.exe, later standardized to formats like rh111.exe for a false sense of legitimacy.

The loader’s obfuscated code, packed with gibberish method names and hidden MSIL bytecode, hooks into the clrjit.dll library to replace placeholder methods at runtime, further thwarting security measures.

Upon deobfuscation using tools like NETReactorSlayer, researchers uncovered its decryption routines involving AES and GZipStream, which ultimately execute payloads in memory using functions like VirtualAlloc and CreateThread.

Simultaneously, SmokeLoader demonstrates advanced evasion by employing anti-analysis techniques such as opaque predicates, dynamic API resolution, and system checks to avoid detection in virtualized or debugged environments.

It specifically targets Windows Vista or newer systems, terminates processes linked to analysis tools, and injects itself into explorer.exe, showcasing a refined approach to persistence and privilege escalation.

The synergy of these tools in Agenda’s attack chain underscores a deliberate effort to maximize disruption across diverse targets, including domain networks and virtual environments, facilitated by the group’s shift to Rust for cross-platform compatibility and custom packers for enhanced evasion.

Trend Micro’s Vision One platform has been pivotal in detecting and blocking these threats, offering enterprises critical hunting queries and threat intelligence to stay ahead of such sophisticated campaigns.

As Agenda continues to adapt, organizations must adopt multilayered security strategies, rigorous access controls, and proactive monitoring to mitigate the evolving risks posed by these advanced malware delivery mechanisms.