Full Report
Threat actors with ties to the Qilin ransomware family have leveraged malware known as SmokeLoader along with a previously undocumented .NET compiled loader codenamed NETXLOADER as part of a campaign observed in November 2024. "NETXLOADER is a new .NET-based loader that plays a critical role in cyber attacks," Trend Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl
Analysis Summary
# Incident Report: Qilin Ransomware Campaign Leveraging NETXLOADER and SmokeLoader
## Executive Summary
In November 2024, threat actors associated with the **Qilin** (Agenda) ransomware group initiated an attack campaign utilizing a new, highly obfuscated .NET loader named **NETXLOADER** alongside the existing **SmokeLoader** malware. The primary impact involved deploying Agenda ransomware onto targeted systems following initial access via phishing or exploitation of valid accounts. The attackers successfully bypassed traditional detection mechanisms using advanced obfuscation techniques before deploying the final ransomware payload.
## Incident Details
- Discovery Date: Analysis published circa May 2025 (Campaign observed in November 2024)
- Incident Date: November 2024
- Affected Organization: Multiple organizations across various sectors (Specific organization not disclosed in text)
- Sector: Healthcare, Technology, Financial Services, and Telecommunications
- Geography: U.S., Netherlands, Brazil, India, and the Philippines
## Timeline of Events
### Initial Access
- Date/Time: November 2024 (Observation period)
- Vector: Valid account usage and Phishing
- Details: Attack chains leveraged social engineering or compromised legitimate credentials to drop the initial stage malware.
### Lateral Movement
- Details: SmokeLoader establishes contact with a C2 server to fetch NETXLOADER. The article implies subsequent actions by SmokeLoader and NETXLOADER facilitate deeper compromise leading to ransomware deployment, although specific internal lateral movement steps are not detailed beyond the payload deployment sequence.
### Data Exfiltration/Impact
- Impact: Deployment of Agenda ransomware, targeting domain networks, mounted devices, storage systems, and VCenter ESXi. The primary impact is operational disruption and extortion.
### Detection & Response
- Detection: Trend Micro researchers identified and analyzed the campaign components (NETXLOADER, SmokeLoader, and Agenda integration).
- Response Actions: Analysis was performed to understand the obfuscation techniques and delivery mechanism. (Specific organizational containment/eradication steps are not detailed in the text.)
## Attack Methodology
- Initial Access: Valid accounts and Phishing.
- Persistence: Implied through the loading mechanism of sequential malware loaders.
- Privilege Escalation: Not explicitly detailed, but necessary for ransomware deployment on critical systems.
- Defense Evasion: NETXLOADER is protected by .NET Reactor 6, uses control flow obfuscation, seemingly meaningless method names, and JIT hooking to resist analysis. SmokeLoader performs virtualization and sandbox evasion and terminates a hard-coded list of running processes.
- Credential Access: Not explicitly detailed, but implied as part of the overall attack chain leading to ransomware execution.
- Discovery: Not explicitly detailed.
- Lateral Movement: Not explicitly detailed beyond the chain of payload delivery.
- Collection: Not explicitly detailed.
- Exfiltration: Data extortion via ransomware deployment (no direct exfiltration details provided for this specific campaign description).
- Impact: Deployment of Agenda ransomware encrypting diverse systems including ESXi.
## Impact Assessment
- Financial: Not quantified, but associated with significant costs due to ransomware response and potential ransom payment.
- Data Breach: Ransomware implies data encryption and potential data theft for double extortion. (Specific volume/type not disclosed).
- Operational: Disruption to critical services within Healthcare, Tech, Finance, and Telecom sectors across multiple countries.
- Reputational: High risk due to the increasing activity of Qilin ransomware group; Qilin became the top ransomware group for April 2025 disclosures.
## Indicators of Compromise
- Network Indicators (Defanged): C2 server retrieving payloads: `bloglake7[.]cfd`
- File Indicators: SmokeLoader, NETXLOADER (obfuscated .NET loader).
- Behavioral Indicators: Use of reflective DLL loading to execute Agenda ransomware; JIT hooking for defense evasion; process termination by SmokeLoader.
## Response Actions
- Containment: Not detailed in the provided source analysis.
- Eradication: Not detailed in the provided source analysis.
- Recovery: Not detailed in the provided source analysis.
## Lessons Learned
- The evolution of ransomware delivery chains relies heavily on sophisticated multi-stage loading, masking final payloads.
- Advanced obfuscation (like .NET Reactor 6) and anti-analysis techniques render traditional signature-based detection ineffective against loaders like NETXLOADER.
- The tactic of using known malware (SmokeLoader) alongside new loaders (NETXLOADER) increases the potency of the overall attack chain.
- The Qilin group has rapidly scaled its operations following the disappearance of other major actors like RansomHub.
## Recommendations
- Implement advanced endpoint detection and response (EDR) solutions capable of detecting memory-resident code execution and behavioral anomalies (e.g., JIT hooking, process termination lists).
- Enforce rigorous multi-factor authentication, especially for valid accounts leveraged in initial access.
- Prioritize network segmentation to limit the blast radius when ransomware (like Agenda targeting ESXi and storage) is deployed.
- Focus security analysis efforts on identifying heavily obfuscated .NET binaries early in the stage chain, even if static analysis yields limited information.