NETXLOADER Opens the Door for a Fresh Qilin Ransomware Surge

A Hidden Loader Comes to Light

Trend Micro has lifted the curtain on a stealthy .NET program they have christened NETXLOADER. First spotted in attacks during November 2024, the loader works hand-in-hand with SmokeLoader to unleash the Agenda ransomware (better known as Qilin). Packed with the commercial protector .NET Reactor 6, NETXLOADER keeps its secrets encrypted until execution, making file-based detection next to impossible.

You might be interested in: Golden Chickens Hackers Launch New Malware

How the Attack Unfolds

The intrusions begin with time-worn entry points—phishing messages or stolen logins give the criminals their first foothold. Inside the network they drop NETXLOADER, which promptly reaches out to an external site such as “bloglake7[.]cfd” to download SmokeLoader. SmokeLoader disables select security tools, checks that it is not inside a sandbox, and calls home again. A second copy of NETXLOADER then launches Agenda ransomware through reflective DLL loading, allowing the file-locking routine to spread across Windows domains, mapped drives, backup appliances, and even VMware ESXi hosts.

Obfuscation Tricks That Frustrate Analysts

All strings, method names, and control paths inside NETXLOADER are scrambled beyond recognition. The code also relies on just-in-time hooking to reveal its real instructions only at runtime, forcing defenders to analyse the malware in memory rather than on disk. Because the loader fetches its main payload later, a simple scan can neither confirm nor predict which malware family will arrive next.

A Spike in Qilin’s Public Victim Count

Qilin had kept a modest pace since its debut in July 2022, never naming more than 23 victims a month up to January 2025. That changed abruptly when rival outfit RansomHub folded in early April 2025. According to Group-IB, Qilin’s leak site listed 48 companies in February, 44 in March, and 45 during the first half of April, making it the most prolific ransomware crew at the moment. Targets span healthcare, technology, finance, and telecom firms in the United States, the Netherlands, Brazil, India, and the Philippines.

What Defenders Should Do Now

Trend Micro urges security teams to treat unknown .NET executables—especially those wrapped in .NET Reactor—with caution, to enforce multi-factor authentication on every remote-access path, and to block the loader’s known command-and-control domains wherever possible. Segmenting networks and keeping fresh offline backups remain the surest ways to limit the damage if Agenda breaks through.