The ransomware group LeakNet is significantly escalating its operations with the introduction of new, sophisticated attack vectors, including a social engineering tactic known as ClickFix and a stealthy Deno-based loader. This shift marks a departure from their previous reliance on purchasing stolen credentials, allowing LeakNet to target a much broader range of victims and bypass many standard security defenses.
Recent analysis by ReliaQuest highlights LeakNet’s evolving strategy, noting a substantial increase in their attack scale. Previously averaging three victims monthly, the group is now employing tools designed to evade conventional security measures, posing a more immediate threat to organizations worldwide. Their adoption of ClickFix and the Deno loader are key indicators of this aggressive expansion.
LeakNet Scales Ransomware Operations With ClickFix Lures
LeakNet’s adoption of ClickFix represents a critical change in their victim acquisition methods. Instead of purchasing compromised access from initial access brokers (IABs), the group now strategically places deceptive verification pages on legitimate, albeit compromised, websites. These pages mimic standard security checks, such as Cloudflare’s Turnstile, prompting unsuspecting users to execute a seemingly innocuous command.
This approach significantly broadens their attack surface. By leveraging compromised websites, LeakNet bypasses the need for direct interaction with underground markets for access, reducing their dependencies and increasing the volume of potential targets. The ClickFix technique is becoming increasingly prevalent, reportedly facilitating the distribution of a substantial percentage of top malware families in recent analyses.
The effectiveness of ClickFix lies in its ability to circumvent network-level defenses. Because the lures reside on trusted domains, traditional domain-blocking mechanisms generate fewer alerts. The danger becomes apparent only after a user has executed the malicious command, placing a greater emphasis on behavioral monitoring for suspicious commands and outbound connections rather than solely relying on signature-based detection.
Consistent Post-Exploitation Chain
A concerning aspect of LeakNet’s current campaign is the consistency of their post-exploitation activities, regardless of the entry point. Whether through ClickFix or Microsoft Teams phishing, the group employs the same set of tools for execution, lateral movement, and payload staging. This uniformity, while dangerous, also provides defenders with a clear understanding of the attack chain, enabling targeted detection and disruption.
The Stealthy Deno-Based Loader: A New Evasion Tactic
A particularly potent addition to LeakNet’s arsenal is a novel loader built using the Deno JavaScript runtime. This “bring-your-own-runtime” (BYOR) approach allows attackers to leverage a legitimate, trusted executable on the victim’s machine to run malicious code, making it highly resistant to traditional security tools that focus on detecting custom binaries.
The Deno loader is initiated through PowerShell and Visual Basic Script files, often with filenames like `Romeo*.ps1` and `Juliet*.vbs`. Instead of writing malicious JavaScript files to disk, LeakNet encodes the payload in base64 and feeds it directly to the Deno runtime as a data URL. Deno then decodes and executes this code entirely in memory, leaving no trace on the file system and rendering signature-based detection ineffective.
Once operational, the Deno loader gathers essential system information such as the username, hostname, memory size, and operating system version to generate a unique victim fingerprint. It then establishes a connection to attacker-controlled infrastructure to download a personalized second-stage payload. To prevent duplication, it binds to a local port before entering a continuous loop of fetching and executing further code in memory.
To mitigate the risk posed by LeakNet’s evolving tactics, organizations should prioritize blocking newly registered domains, as the group’s command-and-control servers are often short-lived. Restricting users from running Win-R commands and limiting PsExec usage through Group Policy Objects (GPOs) to authorized administrators are also crucial steps. Security teams should actively monitor for `jli.dll` sideloading in the `C:ProgramDataUSOShared` directory, anomalous PsExec activity, and unexpected outbound connections to S3 buckets. The most effective defense against the deployment of ransomware is the immediate isolation of any compromised host upon detection of post-exploitation behavior, thereby breaking the attack chain.