Headlines warning about massive cyberattacks are becoming increasingly common, yet few clearly explain how a single well-orchestrated operation can lead to dozens of breaches within just weeks. In April 2025, the ransomware group Qilin (also known as Agenda) emerged as one of the most active and dangerous players on the global stage, executing highly targeted attacks against critical sectors such as healthcare, education, and manufacturing.
But this rise didn’t happen in isolation. Behind its effectiveness lies a lethal combination of advanced tools, including the SmokeLoader malware and a previously undocumented .NET loader called NETXLOADER. Discovered by Trend Micro researchers, this component plays a key role by silently deploying hard-to-detect malicious payloads, all while evading analysis thanks to its protection with .NET Reactor 6.
Qilin, active since 2022 and continuously evolving, relies on these resources to enhance its extortion and sabotage capabilities. Understanding how these mechanisms work is not only essential to grasp the magnitude of the threat but also critical to taking concrete steps to strengthen our defenses against increasingly sophisticated attacks.
Qilin Surges in 2025: The Most Active Ransomware Group Right Now
According to recent data from Group-IB, the Qilin ransomware group has doubled the number of leaks published on its site since February 2025, making it the most active group in April and surpassing other well-known groups such as Akira, Play, and Lynx.
Between July 2024 and January 2025, its affiliates rarely exposed more than 23 companies per month. But everything changed this year: in February they reached 48 breaches, in March 44, and in just the first weeks of April they had already hit 45. An alarming pace that makes it clear Qilin is not just active — it’s going all out.
Qilin also appears to have capitalized on a wave of new affiliates following the sudden shutdown of another highly active ransomware group earlier last month — RansomHub. That group had managed to impact 38 victims in the financial sector alone between April 2024 and April 2025, so it’s not surprising to think that several of its operators sought a new “home” to continue their campaigns. And with its ready infrastructure and advanced tools, Qilin was the perfect candidate.
In the first quarter of 2025, Qilin’s ransomware activity focused on key sectors such as healthcare, technology, financial services, and telecommunications, primarily targeting organizations in the United States, the Netherlands, Brazil, India, and the Philippines.
Read more: Mexico Leads Cyberattacks in the Financial Sector in Latin America
What Is NETXLOADER?
A critical piece in this puzzle is NETXLOADER, a highly evasive loader designed to fetch malicious payloads from external servers—such as bloglake7[.]cfd. Once activated, this loader deploys malware like SmokeLoader and Agenda, rapidly escalating the attack.
What makes NETXLOADER so hard to detect is how it’s built. It uses a protection system called .NET Reactor (version 6) and incorporates techniques such as random naming, obfuscated control flow, and even process manipulation right before execution. In short, everything is engineered to make it nearly impossible to understand its behavior without running and analyzing it in memory.
Attacks typically begin with phishing or the use of valid credentials to gain initial access to systems. Once inside, NETXLOADER installs itself on the target machine and deploys SmokeLoader, which executes several stealth tactics—like detecting analysis environments or virtualization—and terminates specific processes to pave the way for ransomware deployment.
In its final stage, SmokeLoader connects to a remote server, re-downloads NETXLOADER, and this time launches Qilin using an advanced technique known as reflective DLL loading, allowing the ransomware to execute directly in memory without touching the hard drive.
Qilin itself matches this level of sophistication. The group behind it continually adds new features to maximize impact. Their targets typically include full networks, mounted devices, storage systems, and even virtualization environments like VMware ESXi. Everything is designed to cause the greatest possible disruption.
Conclusion
What happened in April with Qilin isn’t just another number in the stats—it’s a clear warning sign. Ransomware is not a future threat; it’s a current reality. And as these groups become more organized and use increasingly sophisticated tools, we can’t afford to lag behind. Protection is no longer optional—it’s essential to keep operations running, safeguard critical information, and prevent damage that goes far beyond financial loss.
The good news? There are ways to get ahead of the problem. At TecnetOne, we offer TecnetProtect, a comprehensive cybersecurity solution that includes automated backups, active ransomware protection, disaster recovery, and AI-powered behavior analysis to detect suspicious activity before it’s too late—all from a single console.
This isn’t just about avoiding ransom payments; it’s about keeping your business running smoothly, protecting your customers, and sleeping soundly knowing your data (and your business) are safe.
