top of page
perceptive_background_267k.jpg

LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader

Published:

17 March 2026 at 14:34:00

Alert date:

17 March 2026 at 16:02:36

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Web Technologies, Data Breach & Exfiltration

LeakNet ransomware operation has adopted ClickFix social engineering tactics delivered through compromised websites as an initial access method. This represents a shift from traditional initial access methods like stolen credentials. The attack involves tricking users into manually running malicious commands to address fake errors. The campaign deploys a Deno in-memory loader for payload execution. This technique leverages user interaction and compromised websites to establish initial foothold in target environments.

Technical details

LeakNet ransomware uses ClickFix social engineering delivered through compromised websites to trick users into running malicious msiexec.exe commands via fake CAPTCHA verification checks. The attack employs a staged command-and-control loader built on the Deno JavaScript runtime to execute Base64-encoded JavaScript payloads directly in memory to evade detection. The loader fingerprints the system, contacts external servers for next-stage malware, and enters a polling loop for additional code execution. Post-compromise activities include DLL side-loading, lateral movement using PsExec, data exfiltration via S3 buckets, and encryption. The group uses cmd.exe /c klist to enumerate active authentication credentials for faster lateral movement.

Mitigation steps:

Monitor for known behaviors at each stage of the attack chain to detect and disrupt operations before ransomware deployment. Implement detection for ClickFix social engineering attempts, monitor for suspicious msiexec.exe execution, watch for Deno runtime processes, detect DLL side-loading activities, monitor PsExec usage for lateral movement, and watch for unusual S3 bucket traffic patterns for data exfiltration.

Affected products:

Windows operating systems
Deno JavaScript runtime
Microsoft Teams
VPN solutions
Firewall systems
S3 cloud storage buckets

Related links:

https://thehackernews.com/2026/03/clickfix-campaigns-spread-macsync-macos.html
https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat
https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/leaknet
https://x.com/ido_cohen2/status/1957353482089877838
https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q2-2025
https://redpiranha.net/news/threat-intelligence-report-august-19-august-25-2025
https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/
https://www.coveware.com/blog/2026/2/3/mass-data-exfiltration-campaigns-lose-their-edge-in-q4-2025

Related CVE's:

Related threat actors:

IOC's:

msiexec.exe commands distributed via fake CAPTCHA checks, Base64-encoded JavaScript payloads, Deno runtime processes executing in-memory payloads, DLL side-loading activities, PsExec lateral movement, cmd.exe /c klist credential enumeration, S3 bucket exfiltration traffic

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page