LeakNet Ransomware: ClickFix Exploitation and Deno Loader Analysis

Analysis of the LeakNet Ransomware ClickFix Attack Vectors

The threat landscape is seeing a significant shift as the LeakNet Ransomware operation moves away from traditional initial access vectors, such as credential harvesting or Phishing emails, in favor of highly effective social engineering frameworks. According to The Hacker News, LeakNet is now actively utilizing the ClickFix tactic. This method involves compromising legitimate but vulnerable websites to host malicious overlays that mimic browser errors or system update prompts.

In a typical ClickFix scenario, a visitor to a compromised site is presented with a fake error message, often claiming that a browser extension or a system component failed to load. The user is then instructed to copy a specific command to their clipboard and run it via the Windows Power User menu (Win+X) or a PowerShell terminal. This approach is particularly dangerous because it bypasses many EDR solutions that focus on automated exploitation, as the malicious action is performed by a legitimate, authenticated user. These LeakNet ransomware ClickFix attack vectors exploit the human element, turning the end-user into an unwitting participant in the infection chain.

Technical Details of the Deno In-Memory Loader

Once the victim executes the malicious PowerShell command, the attack enters its second phase: the deployment of a Deno-based in-memory loader. Deno is a modern, secure-by-default runtime for JavaScript and TypeScript that uses the V8 engine and is built in Rust. By leveraging this legitimate tool, LeakNet actors achieve a high degree of stealth. Traditional security tools are often tuned to monitor Python, Node.js, or .NET environments, but the Deno runtime is less frequently audited in standard enterprise environments.

The use of a Deno in-memory loader allows the TTP to evade signature-based detection. Because the payload resides primarily in the system’s volatile memory, it leaves a minimal footprint on the physical disk, complicating forensic analysis for the SOC. This loader is responsible for establishing a connection back to the C2 server, from which the final ransomware payload is delivered. Security professionals should prioritize Deno in-memory loader detection by monitoring for unexpected network connections originating from the Deno process or the presence of Deno binaries in non-standard user directories.

Detection and Remediation Strategies

Defending against this campaign requires a multi-layered approach that addresses both the social engineering aspect and the technical execution phase. Since no CVE is directly exploited in the initial phase, reliance on patching alone is insufficient. Organizations should focus on detecting the malicious PowerShell command execution via ClickFix by auditing command-line arguments that involve clip.exe or the execution of base64-encoded strings directly after user interaction with a web browser.

Recommended Mitigations:

• PowerShell Hardening: Implement Constrained Language Mode (CLM) where possible and ensure that PowerShell execution policies are strictly enforced to prevent the running of unverified scripts.
• User Awareness Training: Update security training modules to include examples of ClickFix overlays. Users should be instructed never to copy and paste commands from a browser window into a terminal.
• Endpoint Monitoring: Configure SIEM alerts for any instances of deno.exe being downloaded or executed in environments where it is not a standard development tool. Monitor for high-frequency IoC patterns associated with LeakNet C2 infrastructure.
• Web Filtering: Use advanced web filtering solutions to block known compromised domains and categorize sites that display suspicious overlay behavior as high-risk.

As LeakNet continues to refine its deployment methods, the combination of user-driven command execution and modern runtimes like Deno presents a persistent threat to corporate networks. Proactive monitoring of terminal activity remains the most effective technical defense against these evolving social engineering tactics.