Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
During monitoring of Agenda (Qilin) ransomware activities, campaigns were uncovered using the SmokeLoader malware and a newly identified loader named NETXLOADER. The addition of these tools to Agenda's arsenal demonstrates the group's continued evolution in delivery mechanisms and evasion capabilities. NETXLOADER features .NET-based obfuscation and dynamic payload retrieval, while SmokeLoader provides modular post-exploitation capabilities. The research documents the full kill chain from initial access through loader deployment to ransomware execution.
Related Research
Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
Discovered Agenda ransomware deploying Linux variants on Windows systems via remote management tools and BYOVD techniques for cross-platform evasion.
Agenda Ransomware Exploits MeshAgent and WSL for Cross-Platform Attacks
Thread on Agenda ransomware exploiting MeshAgent and Windows Subsystem for Linux (WSL) to deploy Linux payloads on Windows systems, raising the bar for cross-platform sophistication.
Play Ransomware Group's New Linux Variant Targets ESXi, Shows Ties With Prolific Puma
First discovery of Play ransomware's Linux variant targeting ESXi, with infrastructure ties to Prolific Puma link-shortening service.
Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518
Documented Cerber ransomware operators rapidly weaponizing CVE-2023-22518 in Atlassian Confluence for initial access and encryption deployment.