Date: 05/08/2025
Severity: Medium
Summary
The Agenda ransomware group, also known as Qilin, has continued to evolve since its emergence in 2022, shifting its ransomware development from Go to Rust and incorporating advanced evasion, propagation, and remote execution capabilities. In a recent campaign, the group deployed SmokeLoader alongside a newly discovered. NET-based loader called NETXLOADER, which is protected with .NET Reactor 6 to hinder analysis. Targeting sectors such as healthcare, technology, finance, and telecommunications across multiple countries, this activity highlights Agenda’s growing sophistication and expanded toolset for delivering multi-stage attacks.
Indicators of Compromise (IOC) List
URL/Domain | http://serverlogs295.xyz/statweb255/index.php http://servblog475.cfd/statweb255/index.php http://demblog797.xyz/statweb255/index.php http://admlogs457.cfd/statweb255/index.php http://blogmstat599.xyz/statweb255/index.php http://bloglogs757.cfd/statweb255/index.php http://pzh1966.com/statweb255/index.php http://mxblog77.cfd/777/ |
Hash | 4684aa8ab09a70d0e25139286e1178c02b15920b
f995ec5d88afab30f9efb62ea3b30e1e1b62cdc3
05bf016c137230bfdc6eaae95b75a56aff76799d
Bdf33e2ba85f35ea86fb016620371fe80855fe68
16b776ff80f08105b362f9bc76c73a21c51664c2
1399e63d4662076eeed3b4498c2f958c611a4387
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | domainname like "http://serverlogs295.xyz/statweb255/index.php" or siteurl like "http://serverlogs295.xyz/statweb255/index.php" or url like "http://serverlogs295.xyz/statweb255/index.php" or domainname like "http://admlogs457.cfd/statweb255/index.php" or siteurl like "http://admlogs457.cfd/statweb255/index.php" or url like "http://admlogs457.cfd/statweb255/index.php" or domainname like "http://servblog475.cfd/statweb255/index.php" or siteurl like "http://servblog475.cfd/statweb255/index.php" or url like "http://servblog475.cfd/statweb255/index.php" or domainname like "http://bloglogs757.cfd/statweb255/index.php" or siteurl like "http://bloglogs757.cfd/statweb255/index.php" or url like "http://bloglogs757.cfd/statweb255/index.php" or domainname like "http://blogmstat599.xyz/statweb255/index.php" or siteurl like "http://blogmstat599.xyz/statweb255/index.php" or url like "http://blogmstat599.xyz/statweb255/index.php" or domainname like "http://demblog797.xyz/statweb255/index.php" or siteurl like "http://demblog797.xyz/statweb255/index.php" or url like "http://demblog797.xyz/statweb255/index.php" or domainname like "http://pzh1966.com/statweb255/index.php" or siteurl like "http://pzh1966.com/statweb255/index.php" or url like "http://pzh1966.com/statweb255/index.php" or domainname like "http://mxblog77.cfd/777/" or siteurl like "http://mxblog77.cfd/777/" or url like "http://mxblog77.cfd/777/" |
Detection Query 2 | hash IN ("1399e63d4662076eeed3b4498c2f958c611a4387","05bf016c137230bfdc6eaae95b75a56aff76799d","4684aa8ab09a70d0e25139286e1178c02b15920b","f995ec5d88afab30f9efb62ea3b30e1e1b62cdc3","Bdf33e2ba85f35ea86fb016620371fe80855fe68","16b776ff80f08105b362f9bc76c73a21c51664c2")
|
Reference:
https://www.trendmicro.com/en_us/research/25/e/agenda-ransomware-group-adds-smokeloader-and-netxloader-to-their.html