LeakNet Uses ClickFix Lure and Deno In-Memory Loader

ReliaQuest said a ransomware group known as LeakNet is now using a social engineering tactic called ClickFix delivered from compromised legitimate websites to gain initial access, and then running a Deno-based loader that executes malicious JavaScript directly in memory.

According to ReliaQuest, the ClickFix attacks present fake CAPTCHA or verification prompts on hacked sites and instruct users to copy and paste a command such as msiexec.exe into the Windows Run box. ReliaQuest added that this trick persuades victims to run benign-looking Windows tooling to launch malicious code and reduces the group’s dependence on stolen credentials sold by initial access brokers.

“LeakNet’s adoption of ClickFix marks both the first documented expansion of the group’s initial access capability and a meaningful strategic shift,” ReliaQuest said. The firm noted the technique lowers per-victim acquisition costs and avoids obvious attacker-owned infrastructure on the network layer, because the lure is served from otherwise normal websites.

ReliaQuest also described a staged loader built on the open-source Deno JavaScript and TypeScript runtime. The attackers use the legitimate Deno binary to decode Base64-encoded JavaScript and run it in memory so there is minimal on-disk evidence. “Rather than deploying a custom malware loader that’s more likely to get flagged, the attackers install the legitimate Deno executable and use it to run malicious code,” ReliaQuest said.

In observed cases, ReliaQuest reported the Deno execution was initiated by Visual Basic and PowerShell scripts with names like Romeo*.ps1 and Juliet*.vbs. The in-memory payload fingerprints the host, generates a victim ID, contacts a command-and-control server to fetch follow-on modules, and polls repeatedly for new commands.

For post-compromise activity, ReliaQuest described a repeatable chain: DLL sideloading to launch a malicious DLL, credential discovery using the built-in klist command, lateral movement using PsExec, data staging and exfiltration to cloud storage such as S3, and final encryption. “The key takeaway here is that both entry paths lead to the same repeatable post-exploitation sequence every time,” ReliaQuest said, adding that consistency gives defenders concrete behaviors to detect and disrupt.

Dragos data cited by ReliaQuest indicates LeakNet has also targeted industrial entities. ReliaQuest estimated LeakNet has been active since late 2024 and averages about three victims per month, though that could rise if the new techniques scale.

Google’s Threat Intelligence Group released broader ransomware findings noting top public leak sites and trends. GTIG said exploitation of vulnerabilities in VPNs and firewalls was a confirmed or suspected initial vector in roughly a third of incidents it reviewed, and that 77 percent of analyzed ransomware intrusions included suspected data theft. GTIG added that some actors are shifting toward higher-volume attacks against smaller organizations.

ReliaQuest highlighted detection indicators to watch for: Deno running on systems that are not developer hosts, unexpected msiexec or Run-box execution driven from browsers, unusual PsExec use, DLL sideloading in uncommon directories, and outbound traffic to cloud storage endpoints. “Those signals can let defenders interrupt the chain well before encryption,” ReliaQuest said.

As ClickFix and bring-your-own-runtime techniques like Deno spread among malware operators, organizations should review user-facing web flows, monitor for unusual runtime launches, and tighten controls around remote command execution.

#ransomware #cybersecurity #malware #infosec #cybersecuritynews #cybersecuritywaala