RansomwareMar 17, 2026

LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader

LeakNet ransomware has adopted the ClickFix social engineering tactic delivered through compromised websites as its primary initial access method, moving away from reliance on stolen credentials from initial access brokers. The group deploys a Deno-based in-memory loader to execute malicious payloads while minimizing on-disk forensic evidence, followed by a consistent post-compromise methodology involving DLL side-loading, lateral movement via PsExec, and data exfiltration to S3 buckets before encryption.

Read at source

Summary

Full text

LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader Ravie LakshmananMar 17, 2026Ransomware / Windows Security The ransomware operation known as LeakNet has adopted the ClickFix social engineering tactic delivered through compromised websites as an initial access method. The use of ClickFix, where users are tricked into manually running malicious commands to address non-existent errors, is a departure from relying on traditional methods for obtaining initial access, such as through stolen credentials acquired from initial access brokers (IABs), ReliaQuest said in a technical report published today. The second important aspect of these attacks is the use of a staged command-and-control (C2) loader built on the Deno JavaScript runtime to execute malicious payloads directly in memory. "The key takeaway here is that both entry paths lead to the same repeatable post-exploitation sequence every time," the cybersecurity company said. "That gives defenders something concrete to work with: known behaviors you can detect and disrupt at each stage, well before ransomware deployment, regardless of how LeakNet got in." LeakNet first emerged in November 2024, describing itself as a "digital watchdog" and framing its activities as focused on internet freedom and transparency. According to data captured by Dragos, the group has also targeted industrial entities. The use of ClickFix to breach victims offers several advantages, the most significant being that it reduces dependence on third-party suppliers, lowers per-victim acquisition cost, and removes the operational bottleneck of waiting for valuable accounts to hit the market. In these attacks, the legitimate-but-compromised sites are used to serve fake CAPTCHA verification checks that instruct users to copy and paste a "msiexec.exe" command to the Windows Run dialog. The attacks are not confined to a specific industry vertical, instead casting a wide net to infect as many victims as possible. The development comes as more threat actors are adopting the ClickFix playbook, as it abuses trusted, everyday workflows to entice users into running rogue commands via legitimate Windows tooling in a manner that feels routine and safe. "LeakNet's adoption of ClickFix marks both the first documented expansion of the group’s initial access capability and a meaningful strategic shift," ReliaQuest said. "By moving away from IABs, LeakNet removes a dependency that naturally constrained how quickly and broadly it could operate. And because ClickFix is delivered through legitimate—but compromised—websites, it doesn’t present the same obvious signals at the network layer as attacker-owned infrastructure." Besides the use of ClickFix to initiate the attack chain, LeakNet is assessed to be using a Deno-based loader to execute Base64-encoded JavaScript directly in memory so as to minimize on-disk evidence and evade detection. The payload is designed to fingerprint the compromised system, contact an external server to fetch next-stage malware, and enter into a polling loop that repeatedly fetches and executes additional code through Deno. Separately, ReliaQuest said it also observed an intrusion attempt in which threat actors used Microsoft Teams-based phishing to socially engineer a user into launching a payload chain that ended in a similar Deno-based loader. While the activity remains unattributed, the use of the bring your own runtime (BYOR) approach either signals a broadening of LeakNet's initial access vectors, or that other threat actors have adopted the technique. LeakNet's post-compromise activity follows a consistent methodology: it starts with the use of DLL side-loading to launch a malicious DLL delivered via the loader, followed by lateral movement using PsExec, data exfiltration, and encryption. "LeakNet runs cmd.exe /c klist, a built-in Windows command that displays active authentication credentials on the compromised system. This tells the attacker which accounts and services are already reachable without the need for requesting new credentials, so they can move faster and more deliberately," ReliaQuest said. "For staging and exfiltration, LeakNet uses S3 buckets, exploiting the appearance of normal cloud traffic to reduce its detection footprint." The development comes as Google revealed that Qilin (aka Agenda), Akira (aka RedBike), Cl0p, Play, SafePay, INC Ransom, Lynx, RansomHub, DragonForce (aka FireFlame and FuryStorm), and Sinobi emerged as the top 10 ransomware brands with the most victims claimed on their data leak sites. "In a third of incidents, the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls," Google Threat Intelligence Group (GTIG) said, adding 77% of analyzed ransomware intrusions included suspected data theft, an increase from 57% in 2024. "Despite ongoing turmoil caused by actor conflicts and disruption, ransomware actors remain highly motivated and the extortion ecosystem demonstrates continued resilience. Several indicators suggest the overall profitability of these operations is, however, declining, and at least some threat actors are shifting their targeting calculus away from large companies to instead focus on higher volume attacks against smaller organizations." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cloud security, cybersecurity, Malware, Phishing, ransomware, social engineering, Threat Intelligence, windows security Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps

Indicators of Compromise

malware — LeakNet
malware — Deno-based loader
mitre_attack — T1218.009
mitre_attack — T1021.002
mitre_attack — T1566.002