The article discusses a recent campaign by Qilin ransomware, which has begun employing a new .NET-based loader called NETXLOADER to deploy additional malware like SmokeLoader and Agenda ransomware. Since February 2025, disclosures on Qilin's data leak site have surged, making it the leading ransomware group surpassing others in recent disclosures. The surge coincides with a wave of new affiliates following the previous shutdown of RansomHub. Qilin's ransomware activities have predominantly affected multiple sectors, including healthcare and finance, across various countries.
NETXLOADER is a new .NET-based loader that plays a critical role in cyber attacks, stealthily deploying additional malicious payloads, such as Agenda ransomware and SmokeLoader. Protected by .NET Reactor 6, NETXLOADER is difficult to analyze.
While hidden, it stealthily deploys additional malicious payloads, such as Agenda ransomware and SmokeLoader. Protected by .NET Reactor 6, NETXLOADER is difficult to analyze.
Collection
[
|
...
]