Qilin Ransomware Achieves Unprecedented Recognition in April 2025 with 72 Data Leak Disclosures

Threat actors associated with the Qilin ransomware family have adopted a sophisticated malware delivery method utilizing a .NET compiled loader known as NETXLOADER, alongside the established SmokeLoader malware. This strategy was particularly prominent during a campaign identified in November 2024.

NETXLOADER serves as a critical component in cyber attack scenarios, functioning stealthily to deploy additional malicious payloads such as the Agenda ransomware and SmokeLoader itself. Its deployment is hindered by protection mechanisms like .NET Reactor 6, complicating analysis efforts for cybersecurity professionals.

Qilin, also referred to as Agenda, has emerged as a significant ransomware threat since its introduction in July 2022. Notably, an enhanced variant identified as Qilin.B was reported by cybersecurity firm Halcyon last year.

Recent intelligence shared by Group-IB indicates that disclosures on Qilin’s data leak site have increased dramatically, making it the leading ransomware group for April 2025, with 72 reported victims. This represents a notable rise from previous months, with substantial victim disclosures recorded in February, March, and the early weeks of April 2025.

The increase in Qilin’s operational activity has been attributed to an influx of affiliates following the shutdown of RansomHub, another prominent ransomware group that was highly active in 2024. It was reported that RansomHub claimed numerous victims within the financial sector during its operational period.

Investigations into Qilin’s activity reveal that the group primarily targets sectors such as healthcare, technology, financial services, and telecommunications, affecting organizations across various countries including the U.S., the Netherlands, Brazil, India, and the Philippines.

NETXLOADER is designed as a heavily obfuscated loader that retrieves next-stage payloads from external servers, including SmokeLoader and the Agenda ransomware. The loader employs various evasion techniques, complicating detection and analysis. Techniques such as just-in-time (JIT) hooking, utilization of nonsensical method names, and extensive control flow obfuscation make NETXLOADER a formidable component in cybercriminal arsenals.

Trend Micro researchers highlight that NETXLOADER represents a significant evolution in malware delivery methods. Its obfuscation tactics effectively conceal payloads, rendering traditional string-based analysis ineffective and necessitating runtime code execution for proper investigation.

The attack methodologies observed show that threat actors utilize valid account compromises and phishing as entry points to deploy NETXLOADER. Once on the host, NETXLOADER activates SmokeLoader, which further undertakes virtualization and sandbox evasion strategies while eliminating processes outlined in a predefined hard-coded list. Ultimately, SmokeLoader initiates communication with a command-and-control server to obtain NETXLOADER, which then executes the Agenda ransomware via reflective DLL loading techniques.

The Agenda ransomware group continues to adapt and enhancement its capabilities, targeting an array of infrastructures, including domain networks and storage systems. Cybersecurity vigilance and proactive defensive measures are imperative to mitigate the impact of such sophisticated threats.