Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal

    Date: 05/08/2025

    Severity: Medium

    Summary

    The Agenda ransomware group, also known as Qilin, has continued to evolve since its emergence in 2022, shifting its ransomware development from Go to Rust and incorporating advanced evasion, propagation, and remote execution capabilities. In a recent campaign, the group deployed SmokeLoader alongside a newly discovered. NET-based loader called NETXLOADER, which is protected with .NET Reactor 6 to hinder analysis. Targeting sectors such as healthcare, technology, finance, and telecommunications across multiple countries, this activity highlights Agenda’s growing sophistication and expanded toolset for delivering multi-stage attacks.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://serverlogs295.xyz/statweb255/index.php 

    http://servblog475.cfd/statweb255/index.php

    http://demblog797.xyz/statweb255/index.php

    http://admlogs457.cfd/statweb255/index.php

    http://blogmstat599.xyz/statweb255/index.php

    http://bloglogs757.cfd/statweb255/index.php

    http://pzh1966.com/statweb255/index.php

    http://mxblog77.cfd/777/

    Hash

    4684aa8ab09a70d0e25139286e1178c02b15920b

    f995ec5d88afab30f9efb62ea3b30e1e1b62cdc3

    05bf016c137230bfdc6eaae95b75a56aff76799d

    Bdf33e2ba85f35ea86fb016620371fe80855fe68

    16b776ff80f08105b362f9bc76c73a21c51664c2

    1399e63d4662076eeed3b4498c2f958c611a4387

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1

    domainname like "http://serverlogs295.xyz/statweb255/index.php" or siteurl like "http://serverlogs295.xyz/statweb255/index.php" or url like "http://serverlogs295.xyz/statweb255/index.php" or domainname like "http://admlogs457.cfd/statweb255/index.php" or siteurl like "http://admlogs457.cfd/statweb255/index.php" or url like "http://admlogs457.cfd/statweb255/index.php" or domainname like "http://servblog475.cfd/statweb255/index.php" or siteurl like "http://servblog475.cfd/statweb255/index.php" or url like "http://servblog475.cfd/statweb255/index.php" or domainname like "http://bloglogs757.cfd/statweb255/index.php" or siteurl like "http://bloglogs757.cfd/statweb255/index.php" or url like "http://bloglogs757.cfd/statweb255/index.php" or domainname like "http://blogmstat599.xyz/statweb255/index.php" or siteurl like "http://blogmstat599.xyz/statweb255/index.php" or url like "http://blogmstat599.xyz/statweb255/index.php" or domainname like "http://demblog797.xyz/statweb255/index.php" or siteurl like "http://demblog797.xyz/statweb255/index.php" or url like "http://demblog797.xyz/statweb255/index.php" or domainname like "http://pzh1966.com/statweb255/index.php" or siteurl like "http://pzh1966.com/statweb255/index.php" or url like "http://pzh1966.com/statweb255/index.php" or domainname like "http://mxblog77.cfd/777/" or siteurl like "http://mxblog77.cfd/777/" or url like "http://mxblog77.cfd/777/"

    Detection Query 2

    hash IN ("1399e63d4662076eeed3b4498c2f958c611a4387","05bf016c137230bfdc6eaae95b75a56aff76799d","4684aa8ab09a70d0e25139286e1178c02b15920b","f995ec5d88afab30f9efb62ea3b30e1e1b62cdc3","Bdf33e2ba85f35ea86fb016620371fe80855fe68","16b776ff80f08105b362f9bc76c73a21c51664c2")

    Reference:  

    https://www.trendmicro.com/en_us/research/25/e/agenda-ransomware-group-adds-smokeloader-and-netxloader-to-their.html


    Tags

    MalwareThreat ActorRansomwareQilinSmokeLoaderNETXLOADERHealthcare and Public HealthInformation TechnologyFinancial ServicesCommunications

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags