{"id":224671,"date":"2026-03-17T10:34:00","date_gmt":"2026-03-17T14:34:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/17\/leaknet-ransomware-uses-clickfix-via-hacked-sites-deploys-deno-in-memory-loader\/"},"modified":"2026-03-17T13:50:09","modified_gmt":"2026-03-17T17:50:09","slug":"leaknet-ransomware-uses-clickfix-via-hacked-sites-deploys-deno-in-memory-loader","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/17\/leaknet-ransomware-uses-clickfix-via-hacked-sites-deploys-deno-in-memory-loader\/","title":{"rendered":"LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/leaknet-ransomware-uses-clickfix-via.html\">LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/leaknet-ransomware-uses-clickfix-via.html\">https:\/\/thehackernews.com\/2026\/03\/leaknet-ransomware-uses-clickfix-via.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-17 10:34:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>The ransomware operation known as LeakNet has adopted the ClickFix social engineering tactic delivered through compromised websites as an initial access method.<\/p>\n<p>The use of ClickFix, where users are tricked into manually running malicious commands to address non-existent errors, is a departure from relying on traditional methods for obtaining initial access, such as through stolen credentials acquired from initial access brokers (IABs), ReliaQuest said in a technical report published today.<\/p>\n<p>The second important aspect of these attacks is the use of a staged command-and-control (C2) loader built on the Deno JavaScript runtime to execute malicious payloads directly in memory.<\/p>\n<p>&#8220;The key takeaway here is that both entry paths lead to the same repeatable post-exploitation sequence every time,&#8221; the cybersecurity company said. &#8220;That gives defenders something concrete to work with: known behaviors you can detect and disrupt at each stage, well before ransomware deployment, regardless of how LeakNet got in.&#8221;<\/p>\n<p>LeakNet first emerged in November 2024, describing itself as a &#8220;digital watchdog&#8221; and framing its activities as focused on internet freedom and transparency. According to data captured by Dragos, the group has also targeted industrial entities.<\/p>\n<p>The use of ClickFix to breach victims offers several advantages, the most significant being that it reduces dependence on third-party suppliers, lowers per-victim acquisition cost, and removes the operational bottleneck of waiting for valuable accounts to hit the market.<\/p>\n<p>In these attacks, the legitimate-but-compromised sites are used to serve fake CAPTCHA verification checks that instruct users to copy and paste a &#8220;msiexec.exe&#8221; command to the Windows Run dialog. The attacks are not confined to a specific industry vertical, instead casting a wide net to infect as many victims as possible.\u00a0<\/p>\n<p>The development comes as more threat actors are adopting the ClickFix playbook, as it abuses trusted, everyday workflows to entice users&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/leaknet-ransomware-uses-clickfix-via.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader https:\/\/thehackernews.com\/2026\/03\/leaknet-ransomware-uses-clickfix-via.html Publish Date: 2026-03-17&#8230;<\/p>\n","protected":false},"author":1,"featured_media":224672,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjNHJfW8wlD2yQtP3pzAZhSRXNrzlhxXWqqG6GiAH3nbBo44Bz5mQxZ1LtsokhDYs-FC2t8hyphenhyphenY-TlNvck_Rtou9A_AA9lRnKNDRbMxZTpHfAe-6WETM-yJoWzxTANKVWrcZFdu7sax22JeTcWAVwuLKMibTNkLwSRyC0_HfBgCFM6EWqPl5-HbGtJEiSCTC\/s16000\/leaknet-ransomware.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24],"class_list":["post-224671","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/224671"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=224671"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/224671\/revisions"}],"predecessor-version":[{"id":224673,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/224671\/revisions\/224673"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/224672"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=224671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=224671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=224671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}