Qilin Ransomware Fuels April 2025 Spike with 45 Breaches Using NETXLOADER

TL;DR

In April 2025, Qilin ransomware orchestrated a significant spike in cyber attacks, breaching 45 systems using the newly documented NETXLOADER malware. This campaign, observed since November 2024, highlights the evolving tactics of threat actors leveraging advanced malware tools.

Introduction

In April 2025, the cybersecurity landscape witnessed a substantial surge in ransomware attacks, with the Qilin ransomware group at the forefront. This group, known for its sophisticated tactics, has been tied to a series of high-profile breaches, utilizing a combination of established and newly documented malware tools. One of the key components in their recent campaign is NETXLOADER, a .NET-based loader that has played a critical role in these attacks.

The Qilin Ransomware Campaign

Overview of Qilin Ransomware

Qilin is a notorious cybercrime organization that has been active since August 2022. Initially detected by Trend Micro, the group has been linked to various ransomware attacks, including notable incidents targeting healthcare institutions and corporate entities. The group’s ransomware, originally written in Go, was later rewritten in Rust, showcasing their adaptability and continuous evolution.

The Role of NETXLOADER

NETXLOADER, a newly documented .NET-based loader, has emerged as a pivotal tool in Qilin’s arsenal. This malware was observed in a campaign that began in November 2024, where it was used alongside SmokeLoader to infiltrate and compromise systems. The combination of these tools has proven to be highly effective, contributing to the significant spike in ransomware attacks seen in April 2025.

Key Breaches and Impact

The April 2025 campaign led by Qilin resulted in 45 documented breaches, affecting various sectors including healthcare, manufacturing, and construction. Some of the notable attacks include:

• Thornburi Energy Storage Systems: A battery manufacturer in Thailand that suffered significant operational disruptions.
• WT Partnership Asia: A construction consultancy firm that experienced data theft and operational downtime.
• Yanfen: A Chinese car parts manufacturer whose breach affected operations at US car maker Stellantis.
• Upper Merion Township: A local government in the United States that had 500 GB of data stolen, including sensitive information on staff and private contracts.
• Felda Global Ventures Holdings Berhad: A Malaysian company that faced a severe data breach.
• The Big Issue: A UK-based charity that had 550 GB of data stolen, including personnel information and partner data.
• Skender Construction: A US business that had 651 GB of data stolen, impacting 1,067 individuals with compromised personal and financial information.
• London Hospitals: Several healthcare institutions that declared critical incidents due to ransomware attacks affecting their systems.

Tactics and Techniques

Qilin’s tactics involve a blend of social engineering, phishing, and exploiting vulnerabilities in software systems. The group’s affiliates are known to earn a significant portion of each ransom payment, typically around 80 to 85%, making the ransomware-as-a-service model highly lucrative.

Conclusion

The April 2025 ransomware spike orchestrated by Qilin highlights the growing threat of sophisticated cyber attacks. The use of advanced malware tools like NETXLOADER underscores the need for enhanced cybersecurity measures and continuous vigilance. As threat actors continue to evolve their tactics, it is crucial for organizations to stay informed and proactive in their defense strategies.

Additional Resources

For further insights, check:

• Trend Micro Report on Qilin Ransomware
• Group-IB Analysis on Qilin’s Tactics

References