LeakNet has shifted from buying access to using the ClickFix social engineering tactic on compromised legitimate websites, tricking users into running commands like msiexec.exe to gain initial access. The operation also uses a Deno-based in-memory loader and a consistent post-exploitation chain—DLL side-loading, PsExec lateral movement, S3 exfiltration, and encryption—providing detectable behaviors defenders can target. #LeakNet #ClickFix
Keypoints
- LeakNet now uses ClickFix delivered via compromised legitimate sites to socially engineer users into running malicious commands.
- Attackers use a Deno JavaScript runtime loader to execute Base64-encoded payloads directly in memory, reducing on-disk evidence.
- The post-compromise sequence is repeatable: DLL side-loading, lateral movement with PsExec, data exfiltration to S3 buckets, and encryption.
- Moving away from initial access brokers lowers costs and increases operational scale while avoiding obvious network indicators from attacker-owned infrastructure.
- Similar Deno-based loaders delivered via Microsoft Teams phishing suggest the BYOR approach is spreading or being adopted by other threat actors.
Read More: https://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.html