Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal www.trendmicro.com/en_us/res…

This blog entry details research on the Agenda ransomware group’s use of SmokeLoader and a new loader, which we named NETXLOADER. The new loader poses an increased risk of sensitive data theft and device compromise to targets due to its stealthy behavior.

In the first quarter of 2025, Agenda ransomware activity has been observed in healthcare, technology, financial services, and telecommunications sectors across the US, the Netherlands, Brazil, India, and the Philippines.

Trend Vision One™ detects and blocks the malicious components, including Agenda ransomware, SmokeLoader, and NETXLOADER, used in the campaigns discussed in this blog. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Agenda ransomware.