Cyber Security News

LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks

BleepingComputer
LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks
LeakNet operators are using the ClickFix social‑engineering technique to gain initial access and deploy a Deno-based loader that executes JavaScript/TypeScript payloads directly in memory. By running the legitimate, signed Deno runtime via VBS/PowerShell stagers, the attackers minimize disk artifacts and follow with DLL sideloading, PsExec lateral movement, C2 beaconing, and Amazon S3–based exfiltration. #LeakNet #Deno #ClickFix #ReliaQuest #AmazonS3

Keypoints

  • LeakNet uses ClickFix social engineering to trick users into executing malicious commands.
  • Attackers install and run the legitimate Deno runtime to decode and execute payloads directly in memory.
  • Initial execution is observed via PowerShell and VBS stagers named Romeo*.ps1 and Juliet*.vbs.
  • Post-exploitation includes DLL sideloading, credential discovery (klist), PsExec lateral movement, C2 beaconing, and exfiltration to Amazon S3.
  • Detection opportunities include spotting Deno outside dev contexts, suspicious browser misexecs, abnormal PsExec use, unexpected S3 traffic, and DLL sideloading in uncommon directories.

Read More: https://www.bleepingcomputer.com/news/security/leaknet-ransomware-uses-clickfix-and-deno-runtime-for-stealthy-attacks/