Qilin Drives April Ransom Surge With NETXLOADER Tool

Qilin-linked threat actors were responsible for a significant spike in ransomware activity in April 2025, accounting for 45 breaches, according to cybersecurity researchers. The group employed a combination of the known malware SmokeLoader and a newly identified .NET-based loader dubbed NETXLOADER in a campaign first observed in November 2024.

Researchers say NETXLOADER functions as a critical component in these attacks, enabling the deployment of ransomware payloads by establishing a foothold in compromised systems. Its use alongside SmokeLoader suggests a strategic evolution in Qilin’s tactics, aimed at enhancing persistence and evading traditional detection methods.

The April surge underscores the growing sophistication of ransomware operations and highlights the need for organizations to monitor emerging malware variants. The campaign’s reliance on newly developed tools also reflects a broader trend among ransomware groups to innovate and customize their attack methods.

More information on the campaign is available at: https://thehackernews.com/2025/05/qilin-leads-april-2025-ransomware-spike.html.