Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
Essential information
- Published
- 07/05/2025 20:54
- Modified
- 07/05/2025 21:13
- Tags
- .net 2025-05-07 evasion netxloader ransomware rust smokeloader
- Related entities
- 8 observables, 5 techniques (mitre), 8 others
Description
The Agenda ransomware group has expanded its capabilities by incorporating SmokeLoader malware and a new loader called NETXLOADER. NETXLOADER is a highly obfuscated .NET-based loader that utilizes advanced techniques to evade detection and complicate analysis. The group has been targeting healthcare, technology, financial services, and telecommunications sectors across multiple countries. NETXLOADER employs sophisticated methods such as JIT hooking, API obfuscation, and memory manipulation to deploy payloads like Agenda ransomware and SmokeLoader. The attack chain involves multiple stages of evasion, discovery, and command and control communications. This evolution in tactics poses increased risks of data theft and device compromise for potential targets.