Do Son 
The Qilin group, also known by the alias Agenda, emerged as the most active ransomware operator in April 2025, having published data on 72 victims via its leak site. According to Group-IB, this marks an all-time high: from July 2024 to January 2025, such disclosures rarely exceeded 23 per month, but starting in February, the numbers surged dramatically—48 incidents in February, 44 in March, and 45 within just the first weeks of April.
A key catalyst behind this escalation was the abrupt disappearance of the rival group RansomHub, previously ranked second in attack volume. Following its dissolution, a significant number of affiliated cybercriminals migrated to Qilin, fueling an exponential expansion of its operations. Flashpoint reports that between April 2024 and April 2025, RansomHub had managed to compromise 38 organizations in the financial sector before vanishing from the threat landscape.
Qilin’s campaigns are distinguished by their deployment of a novel malware toolkit: the well-known SmokeLoader module paired with a newly discovered .NET-based loader codenamed NETXLOADER.
Researchers at Trend Micro conducted an in-depth analysis of NETXLOADER and underscored its pivotal role in distributing malicious payloads, including Agenda and SmokeLoader itself. This loader discreetly installs malware modules, is shielded by .NET Reactor version 6, and employs a suite of advanced evasion techniques.
NETXLOADER proves exceptionally resistant to analysis: its code is encrypted, method names are deliberately obfuscated, and execution logic is intricately entangled. Sophisticated concealment methods are employed, such as JIT hooks and controlled in-memory DLL loading, rendering static analysis and string-based detection virtually impossible. In essence, understanding its full functionality is infeasible without executing it in a live environment.
Attack chains typically commence with phishing campaigns or the compromise of legitimate user credentials. Once deployed on the target system, NETXLOADER activates SmokeLoader, which initiates anti-analysis routines, conducts virtualization checks, and terminates processes from a predefined list. In the final stage, SmokeLoader connects to a remote command-and-control server to retrieve NETXLOADER, which in turn deploys the Agenda ransomware via Reflective DLL Loading—a technique that loads the malicious library directly into memory, bypassing the disk.
Agenda is aggressively used to target network domains, external drives, storage devices, and VCenter ESXi hypervisors. According to Trend Micro’s observations, its most frequent victims are organizations in the healthcare, financial, telecommunications, and IT infrastructure sectors across the United States, India, Brazil, the Philippines, and the Netherlands.
As the number of victims grows and the technical sophistication of its tools continues to evolve, Qilin is solidifying its reputation as one of the most technologically advanced ransomware collectives in the cybercriminal underworld.
Donate