InfoSecBulletin Cybersecurity for mankind
The cyber threat landscape is rapidly changing, with a notable increase in ransomware activity in April 2025, driven by the Qilin ransomware group. They exploited the NETXLOADER malware loader and SmokeLoader, causing 45 confirmed data breaches in a matter of weeks, surpassing major rivals like Akira, Play, and Lynx.
What Is NETXLOADER?
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
NETXLOADER is a new .NET-based malware loader that discreetly delivers second-stage payloads such as Agenda ransomware and SmokeLoader. Trend Micro reports that it uses .NET Reactor 6 for heavy obfuscation and incorporates advanced evasion techniques.
Just-In-Time (JIT) hooking
Control flow obfuscation
Meaningless method names
These features make NETXLOADER very difficult to find and understand, even for experienced reverse engineers.
The Qilin Ransomware Threat:
Qilin, also known as Agenda, has been active since mid-2022 and has evolved over time. Its recent success is partly due to increased affiliate support following the shutdown of RansomHub, a major ransomware group.
According to Group-IB, leak site activity related to Qilin more than doubled since February 2025:
February: 48 disclosures
March: 44 disclosures
April: 45+ disclosures in the first few weeks
Attack Vectors and Targeted Sectors
Initial access is typically achieved using:
Compromised credentials
Spear-phishing campaigns
Once inside the network, NETXLOADER downloads malware that installs Agenda ransomware using a specific method.
Targeted sectors include:
Healthcare
Financial services
Technology
Telecommunications
Countries most impacted so far are the U.S., Netherlands, Brazil, India, and the Philippines.
A Call for Vigilance:
This surge underscores the need for robust cybersecurity hygiene, including:
Regular vulnerability assessments
Endpoint detection and response (EDR) solutions
Advanced email security
User training against phishing
