Ransomware operator LeakNet is going large. Well, they’re scaling up, and at the same time, they’re changing tactics.  

Among the techniques introduced are a new initial access path and a new loader technique, according to an analysis by ReliaQuest. 

“‘ClickFix’ lures hosted on compromised websites and a Deno-based, in-memory loader that most security tools won’t catch. No matter how it gets in, LeakNet then follows the same post-exploitation steps: Execution, lateral movement, and payload staging,” ReliaQuest’s analysis found.  

The researchers pointed to two key developments—the first being their high confidence that LeakNet is using the ClickFix social engineering technique, with fake error prompts to convince users to manually run malicious commands through legitimate but compromised websites. That’s a departure from the operator’s previous use of initial access brokers (IABs) to grab stolen credentials. Instead, the group is shifting toward running its own campaigns directly, the researchers said.  

They also found that the group is using a staged, stealthy Deno-based command-and-control (C2) loader built on a JavaScript/TypeScript runtime, which is similar to Node.js. The Deno loader executes payloads primarily in memory, the researchers noted. 

“The key takeaway here is that both entry paths lead to the same repeatable post-exploitation sequence every time,” the analysis showed. 

That’s good news for defenders, the researchers say, because it gives them “something concrete to work with: known behaviors you can detect and disrupt at each stage, well before ransomware deployment, regardless of how LeakNet got in.” 

This operational consistency “makes the group’s behavior predictable—and if you recognize the sequence, you can disrupt it even when the entry point changes,” the report said. “Because the same tools and techniques show up across every incident, a handful of well-placed behavioral detections can cover the entire known attack surface.” 

The evolution of LeakNet “underscores a broader, concerning shift toward sophisticated evasion techniques that co-opt legitimate infrastructure,” says Jason Soroko, senior fellow at Sectigo.  

Organizations, Soroko says, “must recognize that LeakNet is bypassing traditional security perimeters by adopting a ‘bring your own runtime’ (BYOR) strategy.” 

What is being seen “with LeakNet is an evolution of trends that have been building for several years, now combined into a more efficient and scalable model,” says Shane Barney, CISO at Keeper Security.  

“The shift away from relying on initial access brokers toward generating access through techniques like ClickFix expands the potential victim pool and removes a traditional constraint on ransomware operations,” says Barney. “At the same time, the use of legitimate runtimes and in-memory execution reflects a continued move toward blending into normal system activity rather than introducing clearly malicious tools.” 

The deployment of “a legitimate Deno executable to run a base-64 encoded payload which works in-memory, and coupling this with deceptive ‘ClickFix’ lures hosted on compromised but otherwise trusted websites” neutralizes standard file-based detection mechanisms, Soroko says.  

“The insight from this analysis is not the novelty of the initial access vector, but how much the adversary stuck to their subsequent playbook—regardless of how the perimeter is breached, the attack funnels into the same post-exploitation sequence every time,” says Soroko. 

Since LeakNet “is shortening the path from initial access to lateral movement by relying less on IABs and running its own ClickFix lures,” ReliaQuest recommends organizations take actions that focus on preventing initial access and lateral movement, such as: 

Blocking Newly Registered Domains: C2 domains spun up associated with this campaign are usually only a few weeks old. Newly registered domains are rarely needed for business operations and have a big effect on making it harder for threat actors to spin up new infrastructure.  

Blocking users from using Win-R: Regular non-technical users should not have access to run Win-R on their Windows Workstation.  

Preventing PsExec from unauthorized users: Regular non-technical users should not have access to run PsExec. Create a Group Policy Object (GPO) to block its use and only allow authorized admins.  

While none of the elements “are new on their own,” says Barney, “what stands out is the consistency. Regardless of how access is gained, the same post-compromise pattern appears, which gives defenders something concrete to detect and disrupt.” 

He says that the findings reinforce the need for security teams “to operate from an assumption of breach and build controls that limit what an attacker can do once access is established.” 

Prevention, in this context, he explains, “is about reducing freedom of movement. That means restricting access to administrative tools, enforcing least-privilege by default and ensuring elevated access is time-bound and tightly controlled. If an attacker can’t execute freely, move laterally or reach additional systems, the attack breaks down before it reaches impact.” 

Barney recommends defenders prioritize “making sure access is appropriate, limited and consistently enforced,” noting that “when access is over-permissioned or broadly available, attackers inherit that same reach” but “when it’s constrained and controlled, their ability to progress is significantly reduced.”