Ethical Hacking News
LeakNet, a relatively recent ransomware actor, leverages legitimate Deno runtime environment to execute malicious code directly into system memory, making detection challenging for security teams. Learn more about this emerging technique in our detailed analysis.
LeakNet uses the "bring your own runtime" (BYOR) attack tactic to bypass blocklists and filters, leveraging Deno as a legitimate JavaScript/TypeScript runtime. The ClickFix lure is used to entice victims into running malicious commands on their systems through fake prompts. LeakNet's attack chain involves various stages, including DLL sideloading, C2 beaconing, credential discovery via 'klist' enumeration, lateral movement via PsExec, and payload staging and data exfiltration. The use of legitimate tools like Deno makes it challenging for security teams to detect malicious activity. Recognizing patterns associated with this ransomware technique can provide valuable detection opportunities for defenders.
LeakNet, a relatively recent ransomware threat actor, has been making waves in the cybersecurity community by adopting innovative tactics to gain initial access into corporate environments. One such technique involves using the legitimate open-source runtime environment, Deno, to execute malicious code directly into system memory. In this article, we will delve into the world of LeakNet's ClickFix Deno Runtime ransomware technique, exploring its mechanics, implications, and potential detection opportunities for defenders.
According to ReliaQuest, a cybersecurity firm that specializes in threat intelligence, LeakNet uses the "bring your own runtime" (BYOR) attack tactic, which leverages Deno as a legitimate JavaScript/TypeScript runtime to bypass blocklists and filters for unknown binary execution. This approach allows the attackers to install the legitimate Deno executable on a compromised system and utilize it to run malicious code, thereby minimizing forensic evidence left behind.
The ClickFix lure is used by LeakNet to entice victims into running a malicious command on their systems through fake prompts. Once executed, the payload fingerprints the host, generates a unique victim ID, and connects to a Command-and-Control (C2) server to receive further instructions. The C2 communication establishes a persistent polling loop to keep the attacker informed about system updates and potential additional payloads.
LeakNet's attack chain involves various stages, including DLL sideloading, C2 beaconing, credential discovery via 'klist' enumeration, lateral movement via PsExec, and payload staging and data exfiltration through exploiting Amazon S3 buckets. The attackers use these techniques to navigate the compromised system and extract sensitive information.
The key takeaway from this attack vector is that LeakNet leverages legitimate tools like Deno to evade detection. By utilizing a well-known and widely used runtime environment, the attackers can blend in with normal developer activity, making it more challenging for security teams to identify malicious activity. This makes it essential for organizations to stay vigilant and continually update their security protocols to keep pace with emerging threats.
Moreover, the consistency and repeatability of LeakNet's attack chain provide valuable detection opportunities for defenders. By recognizing patterns associated with this particular ransomware technique, including suspicious 'misexec' execution from browsers, abnormal PsExec usage, unexpected outbound traffic to S3, and DLL sideloading in unusual directories, security teams can take proactive steps to prevent or mitigate the impact of such attacks.
In conclusion, LeakNet's adoption of the ClickFix Deno Runtime ransomware technique underscores the evolving nature of cybersecurity threats. As attackers continue to adapt and innovate their tactics, it is crucial for organizations and defenders alike to remain vigilant and up-to-date with the latest threat intelligence.
LeakNet, a relatively recent ransomware actor, leverages legitimate Deno runtime environment to execute malicious code directly into system memory, making detection challenging for security teams. Learn more about this emerging technique in our detailed analysis.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Stealthy-Rise-of-LeakNet-Unveiling-the-ClickFix-Deno-Runtime-Ransomware-Technique-ehn.shtml
https://www.bleepingcomputer.com/news/security/leaknet-ransomware-uses-clickfix-and-deno-runtime-for-stealthy-attacks/
https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat
https://thehackernews.com/2026/03/investigating-new-click-fix-variant.html
Published: Tue Mar 17 08:52:59 2026 by llama3.2 3B Q4_K_M
