LeakNet Expands Ransomware Operations with Stealthy ClickFix Lures and Deno-Based Loader
Ransomware group LeakNet is scaling its operations by combining mass-market ClickFix social engineering lures with a Deno-based in-memory loader, reducing detection windows for defenders. While the group currently averages three victims per month, recent investments in its own delivery infrastructure signal an effort to increase that number.
New Attack Vectors: ClickFix and Deno
Instead of relying on initial access brokers (IABs), LeakNet now runs its own campaigns, leveraging compromised legitimate websites to host ClickFix lures fake error messages and verification pages (e.g., spoofed Cloudflare Turnstile prompts) that trick users into executing msiexec commands. This approach lowers acquisition costs, removes dependency on third-party access, and broadens the victim pool beyond pre-curated targets.
Once executed, the attack chain deploys a Deno-based loader, which runs base64-encoded JavaScript/TypeScript directly in memory via data: URLs, leaving minimal disk artifacts. The loader disguised with decoy script names like Romeo.ps1 and Juliet.vbs collects host details, generates a unique victim ID, and establishes command-and-control (C2) communication through attacker-controlled infrastructure.
Post-Exploitation Playbook
Despite evolving initial access methods, LeakNet’s post-compromise behavior remains consistent, offering defenders predictable detection opportunities:
- DLL Sideloading: A trojanized jli.dll is placed alongside a legitimate Java binary in C:\ProgramData\USOShared, mimicking normal Windows Update activity.
- Lateral Movement: After beaconing via a repeatable URL pattern, the group uses PsExec following Kerberos ticket enumeration (klist command).
- Exfiltration & C2: Malicious traffic is masked using S3 buckets and trusted cloud services, blending into expected enterprise traffic.
Detection Opportunities
Defenders are advised to monitor for:
- msiexec commands spawned from browsers or Win+R dialogs.
- Deno executing base64 data URLs or running outside developer environments.
- java.exe loading jli.dll from C:\ProgramData\USOShared.
- PsExec usage from non-admin accounts.
- Unexpected outbound connections to S3 buckets or known C2 domains.
Indicators of Compromise (IOCs)
ClickFix Domains (Compromised Websites):
- tools.usersway[.]net
- okobojirent[.]com
- apiclofront[.]com
- sendtokenscf[.]com
- binclloudapp[.]com
Deno C2 Domains/IPs:
- verify-safeguard[.]top
- mshealthmetrics[.]com
- cnoocim[.]com
- delhedghogeggs[.]com
- serialmenot[.]com
- crahdhduf[.]com
- 194.31.223[.]42
- 144.31.2[.]161
- 87.121.79[.]6
Sideloaded jli.dll C2 Domains:
- neremedysoft[.]com
- ndibstersoft[.]com
- windowallclean[.]com
Malicious S3 Buckets:
- fastdlvrss.s3.us-east-1.amazonaws[.]com
- backupdailyawss.s3.us-east-1.amazonaws[.]com
Source: https://gbhackers.com/leaknet-boosts-ransomware/
BleepingComputer cybersecurity rating report: https://www.rankiteo.com/company/bleepingcomputer
"id": "BLE1773836674",
"linkid": "bleepingcomputer",
"type": "Ransomware",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'attack_vector': ['Social Engineering (ClickFix lures)',
'Compromised legitimate websites',
'msiexec command execution'],
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes (via S3 buckets and C2 '
'communication)'},
'description': 'Ransomware group LeakNet is scaling its operations by '
'combining mass-market ClickFix social engineering lures with '
'a Deno-based in-memory loader, reducing detection windows for '
'defenders. The group currently averages three victims per '
'month and has invested in its own delivery infrastructure to '
'increase this number.',
'initial_access_broker': {'entry_point': 'Compromised legitimate websites '
'hosting ClickFix lures'},
'lessons_learned': "LeakNet's shift to self-run campaigns reduces dependency "
'on initial access brokers and broadens the victim pool. '
'Defenders should monitor for ClickFix lures, Deno-based '
'loaders, and DLL sideloading techniques.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Implement enhanced '
'monitoring for ClickFix '
'lures, Deno-based loaders, '
'and lateral movement '
'techniques like PsExec.',
'root_causes': 'Lack of monitoring for msiexec '
'commands, Deno execution, and DLL '
'sideloading techniques.'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': 'LeakNet'},
'recommendations': ['Monitor for msiexec commands spawned from browsers or '
'Win+R dialogs.',
'Detect Deno executing base64 data URLs outside developer '
'environments.',
'Watch for java.exe loading jli.dll from '
'C:\\ProgramData\\USOShared.',
'Investigate PsExec usage from non-admin accounts.',
'Block unexpected outbound connections to S3 buckets or '
'known C2 domains.'],
'references': [{'source': 'Cyber Incident Description'}],
'response': {'enhanced_monitoring': 'Monitor for msiexec commands, Deno '
'execution, java.exe loading jli.dll, '
'PsExec usage, and unexpected S3 bucket '
'connections'},
'threat_actor': 'LeakNet',
'title': 'LeakNet Expands Ransomware Operations with Stealthy ClickFix Lures '
'and Deno-Based Loader',
'type': 'Ransomware'}