Intel Name: Agenda ransomware group adds smokeloader and netxloader to their arsenal
Date of Scan: May 8, 2025
Impact: Medium
Summary: The Agenda ransomware group, also known as Qilin, has continued to evolve since its emergence in 2022, shifting its ransomware development from Go to Rust and incorporating advanced evasion, propagation, and remote execution capabilities. In a recent campaign, the group deployed SmokeLoader alongside a newly discovered. NET-based loader called NETXLOADER, which is protected with .NET Reactor 6 to hinder analysis. Targeting sectors such as healthcare, technology, finance, and telecommunications across multiple countries, this activity highlights Agenda’s growing sophistication and expanded toolset for delivering multi-stage attacks.
