The LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript.

The attacker is using the legitimate Deno to decode and execute a malicious payload directly into system memory, minimizing forensic evidence on the disk and lowering the chance of detection.

LeakNet is a relatively recent ransomware threat actor that has been active since the end of 2024. The actor averages around three victims every month, but the operation may expand with the adoption of the new tactics.

ClickFix is a widely used social engineering attack that tricks users into running malicious commands on their systems through fake prompts. The technique has been adopted by multiple ransomware groups, like Termite and Interlock.

In LeakNet’s case, the ClickFix lure leads to deploying a Deno-based loader that executes a JavaScript payload in system memory.

ReliaQuest calls this tactic a “bring your own runtime” (BYOR) attack, as Deno is a legitimate JavaScript/TypeScript runtime that allows JS/TS code execution outside the browser on a system.

Deno is signed and legitimate, so it bypasses blocklists and filters for unknown binary execution.

“Rather than deploying a custom malware loader that’s more likely to get flagged, the attackers install the legitimate Deno executable and use it to run malicious code,” explains ReliaQuest.

“In observed activity, that process was initiated through Visual Basic Script (VBS) and PowerShell scripts, cleverly named Romeo*.ps1 and Juliet*.vbs.”

The use of Deno for direct in-memory execution is key, as the activity leaves minimal forensic artifacts behind and appears as a normal developer task.

Once executed, the code fingerprints the host, generates a unique victim ID, and connects to the command-and-control (C2) to pull the second-stage payload. At the same time, it runs a persistent polling loop to receive new commands from the C2.

In the post-exploitation phase, LeakNet uses DLL sideloading (jli.dll loaded via Java in C:\ProgramData\USOShared), C2 beaconing, credential discovery via ‘klist’ enumeration, lateral movement via PsExec, and payload staging and data exfiltration that involves abusing Amazon S3 buckets.

The researchers underline that the consistency and repeatability of the attack chain provide detection opportunities for defenders.

Strong signs of potential LeakNet activity include Deno running outside development environments, suspicious ‘misexec’ execution from browsers, abnormal PsExec usage, unexpected outbound traffic to S3, and DLL sideloading in unusual directories.