Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal

May 7, 2025, 9:13 p.m.

Description

The Agenda ransomware group has expanded its capabilities by incorporating SmokeLoader malware and a new loader called NETXLOADER. NETXLOADER is a highly obfuscated .NET-based loader that utilizes advanced techniques to evade detection and complicate analysis. The group has been targeting healthcare, technology, financial services, and telecommunications sectors across multiple countries. NETXLOADER employs sophisticated methods such as JIT hooking, API obfuscation, and memory manipulation to deploy payloads like Agenda ransomware and SmokeLoader. The attack chain involves multiple stages of evasion, discovery, and command and control communications. This evolution in tactics poses increased risks of data theft and device compromise for potential targets.

External References

https://documents.trendmicro.com/assets/txt/NETXLOADER-IOCsy4h6Kis.txt
https://www.trendmicro.com/en_us/research/25/e/agenda-ransomware-group-adds-smokeloader-and-netxloader-to-their.html
https://otx.alienvault.com/pulse/681bc89f39996f610a89a741
Tags
ransomware
evasion
rust
smokeloader
.net
2025-05-07
netxloader

Date

  • Created: May 7, 2025, 8:54 p.m.
  • Published: May 7, 2025, 8:54 p.m.
  • Modified: May 7, 2025, 9:13 p.m.

Indicators

  • serverlogs295.xyz
  • servblog475.cfd
  • pzh1966.com
  • mxblog77.cfd
  • demblog797.xyz
  • blogmstat599.xyz
  • bloglogs757.cfd
  • admlogs457.cfd
Download all indicators here!

Attack Patterns

Additional Informations

  • Technology
  • Healthcare
  • Telecommunications
  • India
  • Netherlands
  • Philippines
  • Brazil
  • United States of America