![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[DEALS] The Premium Python Programming PCEP Certification Prep Bundle (67% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![[Update] A renewed Pixel Watch 2 is a steal at under $80 on Amazon](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2023/10/Pixel-Watch-2-in-pocket-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![Honor 400 series officially launching on May 22 as design is revealed [Video]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/honor-400-series-announcement-1.png?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Beats Studio Pro Wireless Headphones Now Just $169.95 - Save 51%! [Deal]](https://www.iclarified.com/images/news/97258/97258/97258-640.jpg)
Agenda Ransomware Group Upgraded Their Arsenal With SmokeLoader and NETXLOADER
In a significant evolution of their attack capabilities, the Agenda ransomware group has recently incorporated SmokeLoader malware and a new .NET-based loader dubbed NETXLOADER into their arsenal. This development, observed in campaigns initiated during November 2024, marks a substantial upgrade in the threat actor’s technical sophistication and ability to evade detection mechanisms while maximizing the […] The post Agenda Ransomware Group Upgraded Their Arsenal With SmokeLoader and NETXLOADER appeared first on Cyber Security News.
In a significant evolution of their attack capabilities, the Agenda ransomware group has recently incorporated SmokeLoader malware and a new .NET-based loader dubbed NETXLOADER into their arsenal.
This development, observed in campaigns initiated during November 2024, marks a substantial upgrade in the threat actor’s technical sophistication and ability to evade detection mechanisms while maximizing the impact of their attacks.
According to recent attack data from the first quarter of 2025, Agenda ransomware has primarily targeted organizations in healthcare, technology, financial services, and telecommunications sectors.
The geographical scope of these attacks spans multiple countries including the United States, the Netherlands, Brazil, India, and the Philippines.
Notably, the ransomware itself has undergone a transformation from being developed in the Go programming language to Rust, incorporating advanced features such as remote execution and enhanced propagation capabilities within virtual environments.
Trend Micro researchers identified that this new attack chain utilizes SmokeLoader as an intermediate payload, while NETXLOADER serves as the initial stage loader that facilitates the deployment of subsequent malicious components.
“The new loader poses an increased risk of sensitive data theft and device compromise to targets due to its stealthy behavior,” noted the research team in their comprehensive analysis released on May 7, 2025.
The emergence of NETXLOADER is tied to a sprawling infrastructure of malicious domains designed to evade detection.
Threat actors leverage disposable, dynamically generated domains such as bloglake7[.]cfd, mxbook17[.]cfd, and mxblog77[.]cfd to host payloads, often masquerading as benign blog-related services.
These domains follow a distinct pattern, combining words with randomized numbers and low-reputation top-level domains to create transient hosting platforms.
The attack chain begins with NETXLOADER, progresses through SmokeLoader, and culminates with the deployment of Agenda ransomware, creating a multi-stage infection process that maximizes stealth while ensuring effective payload delivery and execution.
.webp)
Analysis of NETXLOADER
NETXLOADER represents a significant advancement in loader technology, protected with .NET Reactor 6 obfuscation that employs control flow obfuscation, anti-tamper, and anti-ILDASM features, making reverse engineering extremely challenging.
The loader dynamically loads an assembly from a decrypted resource, then iterates through its types to invoke methods with obfuscated names using reflection.
A key characteristic of NETXLOADER is its use of JIT hooking techniques, specifically targeting the compileMethod() function of the clrjit.dll library.
It hooks into this function to dynamically replace placeholder methods with actual MSIL bytecode at runtime, effectively evading traditional detection mechanisms.
The loader’s code structure reveals sophisticated evasion techniques:-
// Token: 0x06000002 RID: 2 RVA: 0x000020B4 File Offset: 0x00000284
public static void Main()
{
string username = Environment.UserName;
Assembly assembly = null;
try
{
assembly = Assembly.Load(username);
}
catch
{
assembly = Assembly.Load(Kjeeqlm.Duivbgikpyx().Decrypt());
}
Type[] types = assembly.GetTypes();
for (int i = 0; i < types.Length; i++)
{
Type type = types[i];
if (!(type == null) && !type.IsEnum)
{
try
{
type.InvokeMember("c0AqjVLHS", BindingFlags.InvokeMethod, null, null, null);
}
catch
{
}
}
}
}After decryption, NETXLOADER uses AES to decrypt its payload, which is then decompressed using GZipStream.
The decompressed payload contains shellcode that ultimately leads to the execution of SmokeLoader, which in turn downloads and executes the Agenda ransomware.
The malware distribution is carefully orchestrated, with the executables adopting standardized naming conventions on victim systems.
For example, files with pseudo-random names like rh10j0n.exe are simplified to a standard format with a two to three-letter prefix followed by 111.exe, creating a false sense of legitimacy while decoupling the payload’s identity from its filename.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
The post Agenda Ransomware Group Upgraded Their Arsenal With SmokeLoader and NETXLOADER appeared first on Cyber Security News.
