Qilin Ransomware Surges in April 2025 with 45 Breaches Using NETXLOADER and SmokeLoader Malware

jinia
By -

The notorious Qilin ransomware group—also known as Agenda—has emerged as the top ransomware threat in April 2025, carrying out at least 45 major cyberattacks using a new malware loader called NETXLOADER and the infamous SmokeLoader malware.

What is NETXLOADER?

According to cybersecurity researchers at Trend Micro, Qilin-affiliated attackers began deploying NETXLOADER in campaigns observed in November 2024. This newly discovered .NET-based malware loader plays a key role in ransomware infections by stealthily delivering secondary payloads.

 

“NETXLOADER is a heavily obfuscated .NET loader designed to deliver secondary payloads such as Agenda ransomware and SmokeLoader,” — Trend Micro researchers.


Protected by .NET Reactor v6, NETXLOADER is built to resist analysis using JIT hooking, meaningless method names, and control flow obfuscation to bypass traditional defenses.



Qilin Leads April 2025 Ransomware Activity

New data from Group-IB reveals a dramatic spike in Qilin's activity:

  • 48 ransomware attacks in February 2025
  • 44 attacks in March 2025
  • 45 breaches in the first weeks of April 2025


These numbers dwarf the group’s prior pace, which averaged fewer than 23 attacks per month between July 2024 and January 2025. The surge followed the shutdown of RansomHub, a major competitor in the ransomware ecosystem.


SmokeLoader and Reflective DLL Injection

Once NETXLOADER is executed—often through phishing emails or compromised accounts—it drops SmokeLoader, a powerful malware dropper that performs:

  • Virtualization and sandbox evasion
  • Process termination
  • Connection to remote C2 servers (e.g., bloglake7[.]cfd)


SmokeLoader then fetches the final ransomware payload and deploys it via reflective DLL injection, a stealth technique that runs malware directly from memory.


Qilin Targets Critical Sectors Worldwide

According to Trend Micro, Qilin's ransomware campaigns have hit multiple high-risk sectors, including:

  • Healthcare
  • Technology
  • Financial Services
  • Telecommunications


Countries affected include the U.S., Brazil, the Netherlands, India, and the Philippines.



Advanced Evasion Techniques

Trend Micro emphasizes that NETXLOADER’s obfuscation capabilities present significant challenges to traditional security tools. Even string-based detection techniques fail due to the complex code-scrambling employed.

 

“It hides the real payload, making it invisible without executing the code in memory. This level of stealth is a game-changer.” — Trend Micro


Conclusion: What This Means for 2025 Cybersecurity

The April 2025 ransomware surge led by Qilin highlights the growing complexity of cyber threats. As groups adopt tools like NETXLOADER and SmokeLoader, it's more important than ever for organizations to deploy advanced threat detection, employee training, and robust incident response plans.