Threat actors linked to the Qilin ransomware group have been observed deploying a new .NET-based loader, dubbed NETXLOADER, alongside the malware SmokeLoader in a campaign detected in November 2024. According to Trend Micro, NETXLOADER is a stealthy tool protected by .NET Reactor 6, used to deploy additional payloads like Agenda ransomware and SmokeLoader, making it difficult to analyze. Qilin, also known as Agenda, has been active since July 2022 and saw a surge in activity in early 2025. Group-IB reports that Qilin's data leak disclosures more than doubled since February, with 72 claimed victims in April alone, surpassing groups like Akira and Play.

‍