Qilin Took It All: Victims, Tech, and Even People — 72 Attacks in a Month and No Sign of Slowing
One loader outsmarted hundreds of antivirus tools, turning infections into an epidemic.
The Qilin ransomware group, also known as Agenda, topped the list of the most active ransomware operators in April 2025, publishing data on 72 victims on its leak site. According to Group-IB, this is a record-breaking figure: from July 2024 to January 2025, monthly disclosures rarely exceeded 23, but activity spiked in February (48 victims), continued in March (44), and surged again in April.
The sudden disappearance of rival group RansomHub—previously the second most prolific ransomware operator—triggered a migration of affiliates to Qilin, fueling their exponential growth. Flashpoint reports that RansomHub had targeted 38 financial organizations between April 2024 and April 2025 before vanishing.
Qilin’s operations are distinguished by a new malware toolchain combining the well-known SmokeLoader with a new .NET-based loader dubbed NETXLOADER.
Trend Micro researchers analyzed NETXLOADER in detail and identified it as a key component in the deployment of Qilin’s payloads, including Agenda and SmokeLoader itself. The loader stealthily installs malware, is obfuscated using .NET Reactor v6, and employs various anti-analysis techniques.
NETXLOADER is highly resistant to reverse engineering: its code is encrypted, method names are meaningless, and its execution flow is convoluted. It uses advanced evasion tactics such as JIT hooking and in-memory DLL injection, making static analysis or string matching nearly impossible. In essence, the loader’s behavior can only be understood in a live environment.
Attack chains typically begin with phishing or compromised accounts, followed by NETXLOADER infection. It then deploys SmokeLoader, which runs anti-VM checks, disables select processes, and performs sandbox evasion. Finally, SmokeLoader retrieves a second instance of NETXLOADER from a C2 server, which then uses Reflective DLL Loading to inject the Agenda ransomware directly into memory—without touching the disk.
Agenda is used to target network domains, external drives, storage systems, and VCenter ESXi hypervisors. Trend Micro notes that the most frequent victims belong to healthcare, finance, telecommunications, and IT infrastructure sectors in countries like the US, India, Brazil, the Philippines, and the Netherlands.
As its victim count and technical sophistication grow, Qilin continues to solidify its status as one of the most advanced ransomware operators in the cybercrime ecosystem.
Would you like this formatted for a news article, tweet thread, or forum post?
