LeakNet: the BYOR threat that runs malware in memory with Deno and ClickFix

Just a few months ago a new actor named LeakNet emerged in the computer crime scene, and his technical evolution already requires attention: he has begun to combine a very effective social engineering tactic with a modern "living off the land" approach that takes advantage of legitimate software to run malicious code in memory. The result is a hard-to-detect input vector with few disk prints, exactly what the Ransomware groups are looking for that want to maximize impact and minimize traceability.

The entry door LeakNet uses is known as ClickFix, a user-oriented deception that induces the execution of commands or files by means of false windows or notices that seem to solve a technical problem. Once that first step has been achieved, the attackers do not launch their own charger with dubious signature: they install and use the legitimate Deno runtime - the modern environment for JavaScript and TypeScript - to decode and run the malicious load directly into the system memory. This strategy, described by the researchers of ReliaQuest, is a clear example of what they call a "bringing your own running" (BYOR) campaign, where a legitimate interpreter is brought in to run hostile code without drawing attention to lock lists or filters that seek suspicious binaries. More information on the technical analysis is available in the ReliaQuest report: ReliaQuest: ClickFix, Deno and LeakNet Threat.

Why use Deno? Because it is a signed and widely recognized executable in development environments, which makes detection difficult when it appears on a machine that is not much less prepared to identify it as malicious. By using Deno, LeakNet operators can run malicious JavaScript / TypeScript that makes a fingerprint of the machine, generates a unique victim identifier and contacts a command and control server to download later stages. The memory code maintains a survey connection to receive orders, which facilitates persistent maintenance without leaving obvious artifacts on the disk.

In the post-operation phase, LeakNet uses conventional but effective techniques: loading DLL using sideloading (for example, taking advantage of jli.dll through Java on routes such as C:\\ ProgramData\\ USOShared), recognition of credentials with system tools likeklist, lateral movement using PsExec and exfiltration and data storage that abuse cloud services like Amazon S3. Microsoft maintains official documentation on utilities and commands used in these processes; for example, the Sysinternals PSExec tool can be consulted at the PsExec page, the management of Kerberos tickets byklistis documented in Microsoft reference, and the search and loading principles of DLL are described in the Windows documentation. On the cloud side, Amazon S3 is often used by attackers to store and distribute loads; the official S3 guide is in Amazon S3 documentation.

What makes this chain of attack worrying? Mainly two things: the combination of social engineering with memory execution and the use of legitimate tools. Memory execution reduces forensics on disk and makes many signature-based solutions not fire alerts. The use of an official runtime like Deno means that "unapproved" binary blocking controls can be mocked. In addition, when the attacker relies on system utilities to move laterally or list credentials, the activity can be camouflaged between legitimate administrative tasks.

Researchers who have followed LeakNet indicate that, for now, the group has had a relatively contained activity since the end of 2024, with an average of about a few victims per month, although the adoption of these new methods could accelerate its growth. The repetitivity of the attack chain, however, plays in favour of defenders: consistent patterns leave specific points where to monitor and detect anomalies.

Warning signs to be monitored include the execution of Deno in teams where development tasks are not performed, foreign invocation involving browser and command execution (which is sometimes detected asmisexecor unusual executions from browsing processes), abnormal use of PsExec, unexpected outgoing traffic to S3 buckets and the presence of DLL loaded from atypical locations like ProgramData. These tracks are useful clues for early detection and response.

From a practical point of view, mitigation practices are not new, but they must be applied with discipline: limit and monitor the use of administrative tools, restrict the execution of binaries only to approved inventory, apply lists of permitted applications where possible and analyse outgoing connections to cloud services from workstations. It is also key to educate employees not to run shortcuts or commands presented by suspicious emerging windows, because ClickFix feeds precisely on the user's "quick fix" reaction.

The security community today publishes guides and tools to help detect and mitigate such attacks. Review indicators and patterns reported by researchers, maintain process and network telemetry, and set up alerts on abnormal behaviors (for example, Deno outside development environments or unusual traffic to S3) are concrete steps that can make a difference. For those who want to deepen the original analysis of the attack chain, the ReliaQuest report offers a good starting point: technical account of ReliaQuest, and to understand the runtime the attackers are using, Deno's official page explains how the environment works: Deno - official site.

In short, LeakNet has not invented anything radically new, but it has assembled current tactics efficiently: abuse of a legitimate runtime for memory execution, directed social engineering and post-exploitation movements based on the utilities of the system itself and cloud services. This combination requires that security teams not only block signatures, but also observe behaviour and context, and that organizations maintain basic measures of digital hygiene and continuing training for staff. The threat is manageable if these points are addressed with priority.