Home OSINT News Signals
CYBER

LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks

FC
Falcon Cyber Desk
2026-03-17
🕓 1 min read

EXCLUSIVE: LEAKNET RANSOMWARE GANG DEPLOYS STEALTHY NEW TECH STACK, EXPLOITING A MAJOR CYBERSECURITY BLIND SPOT

A dangerous ransomware syndicate has weaponized a popular developer tool, turning a platform for innovation into a vehicle for digital extortion. The LeakNet gang is now using a cunning method called "ClickFix" for initial access, tricking employees into granting system permissions. Once inside, they deploy a novel malware loader built on the Deno runtime, a tool normally used by developers for JavaScript and TypeScript. This represents a paradigm shift in cybercrime, hiding malicious code in plain sight within trusted, legitimate processes.

This isn't a simple data breach; it's a surgical strike. By leveraging Deno, attackers bypass traditional security filters that look for known malware signatures. The loader then fetches the final ransomware payload, making detection exponentially harder. The use of a "zero-day" is not required; they are exploiting a fundamental vulnerability in how organizations perceive and monitor their own development ecosystems.

"Threat actors are increasingly living off the land, using tools that are already whitelisted," explains a senior threat intelligence analyst. "This Deno-based loader is a masterclass in evasion. It forces a complete re-evaluation of endpoint detection rules. The initial phishing remains critical, but the payload delivery is now virtually invisible." This technique renders many conventional anti-malware solutions nearly obsolete.

Every company using modern web development frameworks is now a potential target. The attack chain—from phishing to ClickFix to Deno loader—is designed for maximum stealth against corporate networks. While the gang demands payment in crypto, the real story is their innovation in blockchain security evasion, using these techniques to obscure financial trails and complicate recovery efforts.

We predict a surge in copycat attacks using this method within the quarter. The blueprint is now public: abuse trusted runtimes to deliver ransomware. This will become the new standard for sophisticated cybercriminal operations.

The tools you use to build your business are now being used to destroy it.

Telegram X LinkedIn
Back to News
OSINT BotDeep intelligence on any target
News ChannelReal-time cyber & crypto alerts
Read Also
Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days
Chinese Nexus Actors Shift Focus to Qatar Amid Iranian Conflict
‘Risk of a Stagflationary Shock’: BlackRock Analysts Stay Underweight on Long-Term U.S. Treasuries Amid Conflict in Middle East
Sophisticated Phishing Campaign Exploits Live Chat Systems to Steal Financial Data - Falcon News