Agenda Hackers Add NETXLOADER, SmokeLoader to Attacks

The Agenda ransomware group has enhanced its cyberattack toolkit by integrating two new components: the well-known SmokeLoader malware and a .NET-based loader dubbed NETXLOADER, according to research from Trend Micro. First spotted in campaigns launched in November 2024, the updated attack chain offers increased stealth and complexity, allowing the group to bypass detection mechanisms more effectively.

Active in the U.S., Netherlands, Brazil, India and the Philippines, Agenda has focused its attacks on healthcare, tech, finance and telecom sectors. The ransomware has also transitioned from Go to Rust programming, bolstering its ability to execute remotely and propagate in virtual environments.

NETXLOADER initiates infections, using advanced evasion techniques like .NET Reactor 6 obfuscation and JIT hooking, before executing SmokeLoader, which deploys the ransomware. The group uses disposable domains with randomized names to host malicious payloads, camouflaged as legitimate services. File naming conventions on infected machines are also manipulated to obscure the malware’s presence.