The attack chain begins with NETXLOADER, progresses through SmokeLoader, and culminates with the deployment of Agenda ransomware, creating a multi-stage infection process that maximizes stealth while ensuring effective payload delivery and execution. In a significant evolution of their attack capabilities, the Agenda ransomware group has recently incorporated SmokeLoader malware and a new .NET-based loader dubbed NETXLOADER into their arsenal. Trend Micro researchers identified that this new attack chain utilizes SmokeLoader as an intermediate payload, while NETXLOADER serves as the initial stage loader that facilitates the deployment of subsequent malicious components. NETXLOADER represents a significant advancement in loader technology, protected with .NET Reactor 6 obfuscation that employs control flow obfuscation, anti-tamper, and anti-ILDASM features, making reverse engineering extremely challenging. According to recent attack data from the first quarter of 2025, Agenda ransomware has primarily targeted organizations in healthcare, technology, financial services, and telecommunications sectors. “The new loader poses an increased risk of sensitive data theft and device compromise to targets due to its stealthy behavior,” noted the research team in their comprehensive analysis released on May 7, 2025. The decompressed payload contains shellcode that ultimately leads to the execution of SmokeLoader, which in turn downloads and executes the Agenda ransomware. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This development, observed in campaigns initiated during November 2024, marks a substantial upgrade in the threat actor’s technical sophistication and ability to evade detection mechanisms while maximizing the impact of their attacks. Notably, the ransomware itself has undergone a transformation from being developed in the Go programming language to Rust, incorporating advanced features such as remote execution and enhanced propagation capabilities within virtual environments. Threat actors leverage disposable, dynamically generated domains such as bloglake7[.]cfd, mxbook17[.]cfd, and mxblog77[.]cfd to host payloads, often masquerading as benign blog-related services. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 08 May 2025 01:44:59 +0000