Ddos 
Agenda ransomware, also known as Qilin, has returned. In a recent exposé by Trend Micro, researchers have uncovered the group’s integration of two powerful tools — SmokeLoader and a newly discovered .NET-based loader called NETXLOADER — significantly enhancing the group’s ability to infiltrate, evade, and deploy ransomware payloads across various sectors and geographies.
“The new loader poses an increased risk of sensitive data theft and device compromise to targets due to its stealthy behavior,” Trend Micro warns.
Agenda’s recent activity spans across the US, the Netherlands, Brazil, India, and the Philippines, specifically targeting:
- Healthcare
- Technology
- Financial services
- Telecommunications
This demonstrates the group’s refined targeting and escalating operational sophistication since its emergence in 2022.
At the main of these operations lies NETXLOADER, a .NET-compiled malware loader protected with .NET Reactor 6, making it highly resistant to reverse engineering. Once deployed, it dynamically loads assemblies and executes hidden payloads, including SmokeLoader and the Agenda ransomware binary, all while avoiding detection.
“This loader is protected with .NET Reactor 6, significantly complicating reverse engineering efforts,” Trend Micro notes.
NETXLOADER uses JIT hooking, obfuscated method names, and AES-decrypted GZip payloads, making it exceptionally evasive. Once decrypted, the payload is executed entirely in-memory, avoiding disk-based detection. The loader even uses low-reputation domains (e.g., mxblog77[.]cfd) to cycle payloads and confuse defenders.
“Its complexity is enhanced by the utilization of JIT hooking techniques… dynamically replacing placeholder methods with MSIL bytecode at runtime.”
Meanwhile, SmokeLoader demonstrates an arsenal of evasion tactics:
- Virtualization/sandbox detection
- Process injection into explorer.exe
- Dynamic API resolution
- Debugger and language checks (terminates on Russian locale)
Its final stage injects into Windows Explorer, terminating known analysis tools such as Wireshark, IDA Pro, and Process Hacker using hashed process and window name recognition.
The malware files appear with randomized names (e.g., rh10j0n.exe) but are later renamed post-deployment to a standardized format like rh111.exe. This dual-naming scheme helps the malware blend in and complicate attribution.
“Generic names like mtx111.exe or ldx111.exe are less likely to raise alarms compared to overtly suspicious file names.”
The final payload — Agenda ransomware — is loaded into memory using reflective DLL injection, a technique that avoids writing the payload to disk. NETXLOADER uses VirtualAlloc, VirtualProtect, CreateThread, and other low-level Windows API calls, all masked behind obfuscated delegates.
“Using Delegate 20 (WaitForSingleObject), it waits indefinitely until the thread terminates… before it quietly terminates itself.”
Donate