Protect.Computer
NEWS

LeakNet ransomware uses ClickFix and Deno runtime for stealthier intrusions

· 1 min read · Malicious byte Network safety
LeakNet ransomware uses ClickFix and Deno runtime for stealthier intrusions

Photo by protect.computer (custom explainer graphic) on protect.computer

What happened

Recent reporting says the LeakNet ransomware operation is using ClickFix lures to trick users into launching attacker commands, then dropping a loader built on the legitimate Deno runtime.

Researchers say this loader executes a base64 payload primarily in memory, reducing obvious disk artifacts and making detection harder when environments rely on basic file-based controls.

Why this matters

This is a practical blend of:

  • Social engineering (convincing someone to run commands)
  • Living-off-trusted-tools behavior (abusing signed, legitimate runtime software)
  • Ransomware tradecraft that can accelerate lateral movement

For defenders, this raises risk in organizations where user-driven scripting workflows are common.

What defenders should do now

  1. Harden against ClickFix-style prompts (user training + browser protections + endpoint controls).
  2. Alert on Deno execution outside approved developer paths.
  3. Restrict PowerShell/VBS abuse paths and monitor suspicious script chains.
  4. Limit PsExec/admin remote tooling to approved operators only.
  5. Track unusual outbound traffic and staged payload behavior after script execution.

How to check if you’re affected

Affected scope: organizations or users potentially exposed to LeakNet ransomware uses ClickFix and Deno runtime for stealthier intrusions conditions should validate immediately.

Quick verification steps:

  1. Confirm your exposure surface
    • Identify whether your environment uses the affected product/service/version mentioned in this advisory.
  2. Check official advisories and indicators
    • Compare your deployed versions/configuration against vendor or authority guidance.
  3. Review logs for suspicious activity
    • Investigate authentication, admin, process, and network anomalies tied to this threat pattern.
  4. Validate mitigations are active
    • Apply patches/workarounds and re-check for failed exploit attempts or recurring indicators.

Sources

Bottom line

LeakNet’s ClickFix + Deno approach shows how attackers can combine human deception with legitimate runtime tooling to stay quieter longer. Treat this as an immediate detection-engineering and hardening priority.

Related reading

News
Iran-linked Handala claims disruptive wiper attack on medtech giant Stryker

Stryker confirmed a global disruption to its Microsoft environment after an attack claimed by Iran-linked group Handala, with reports of widespread device wipes.

News
AI-generated Slopoly malware deployed in Interlock ransomware attacks

Researchers say a likely AI-generated Slopoly backdoor helped ransomware operators maintain persistence and steal data in Interlock-linked intrusions.

News
CISA orders agencies to patch Ivanti Connect Secure RCE under active exploitation

CISA added a critical Ivanti Connect Secure flaw to the KEV catalog and ordered U.S. federal agencies to remediate quickly due active exploitation risk.

News
Citrix patches critical NetScaler bleed-like flaws (CVE-2026-3055, CVE-2026-4368)

Citrix released urgent fixes for two NetScaler vulnerabilities, including CVE-2026-3055, a critical memory overread that can expose sensitive data on specific SAML IdP deployments.