InfoSecBulletin Cybersecurity for mankind
The cyber threat landscape is rapidly changing, with a notable increase in ransomware activity in April 2025, driven by the Qilin ransomware group. They exploited the NETXLOADER malware loader and SmokeLoader, causing 45 confirmed data breaches in a matter of weeks, surpassing major rivals like Akira, Play, and Lynx.
What Is NETXLOADER?
Hacker claim to breach Link3; 189,000 Users data up for sale
Check Point Hosts “Securing the Hyperconnected World in the AI Era” in Dhaka
Microsoft Confirms 900+ XSS Vulns Found in IT Services
Daily Security Update Dated : 15.09.2025
IBM QRadar SIEM Vuln Let Attackers Perform Unauthorized Actions
Major Australian Banks using Army of AI Bots to Scam Scammers
F5 to acquire CalypsoAI for $180M for Advanced AI Security Capabilities
AI Pentesting Tool ‘Villager’ Merges Kali Linux with DeepSeek AI for Automated Attacks
CVE-2025-21043
Samsung Patched Critical Zero-Day Flaw Exploited in Android Attacks
Albania appoints world’s first AI minister, “Diella” to Tackle Corruption
NETXLOADER is a new .NET-based malware loader that discreetly delivers second-stage payloads such as Agenda ransomware and SmokeLoader. Trend Micro reports that it uses .NET Reactor 6 for heavy obfuscation and incorporates advanced evasion techniques.
Just-In-Time (JIT) hooking
Control flow obfuscation
Meaningless method names
These features make NETXLOADER very difficult to find and understand, even for experienced reverse engineers.
The Qilin Ransomware Threat:
Qilin, also known as Agenda, has been active since mid-2022 and has evolved over time. Its recent success is partly due to increased affiliate support following the shutdown of RansomHub, a major ransomware group.
According to Group-IB, leak site activity related to Qilin more than doubled since February 2025:
February: 48 disclosures
March: 44 disclosures
April: 45+ disclosures in the first few weeks
Attack Vectors and Targeted Sectors
Initial access is typically achieved using:
Compromised credentials
Spear-phishing campaigns
Once inside the network, NETXLOADER downloads malware that installs Agenda ransomware using a specific method.
Targeted sectors include:
Healthcare
Financial services
Technology
Telecommunications
Countries most impacted so far are the U.S., Netherlands, Brazil, India, and the Philippines.
A Call for Vigilance:
This surge underscores the need for robust cybersecurity hygiene, including:
Regular vulnerability assessments
Endpoint detection and response (EDR) solutions
Advanced email security
User training against phishing
