LeakNet Ransomware Weaponizes ClickFix and Deno Runtime for Stealthy Corporate Attacks

LeakNet Ransomware Gang Adopts ClickFix and Deno to Bypass Enterprise Defenses

The LeakNet ransomware group has significantly upgraded its attack methodology, now combining the ClickFix social engineering technique for initial access with a novel Deno JavaScript runtime-based malware loader that executes payloads entirely in memory — bypassing traditional antivirus and EDR solutions. The campaign was documented by security researchers and reported by BleepingComputer on March 17, 2026.

LeakNet, active since November 2024, operates as a double-extortion ransomware group — exfiltrating data before encrypting and threatening to publish stolen files on their Tor-based leak site. The group has claimed approximately 3 victims per month across healthcare, finance, manufacturing, and education sectors, with documented victims across the United States, Canada, Taiwan, Pakistan, and Switzerland.

Incident Details

How the Attack Works

Phase 1: ClickFix Initial Access

ClickFix is a social engineering technique in which victims are directed to attacker-controlled websites displaying fake browser error messages, CAPTCHA challenges, or technical problem prompts. The page instructs the user to copy-paste a command into the Windows Run dialog or PowerShell terminal to "fix" the displayed issue.

In LeakNet's variant, the ClickFix lure triggers execution of a command that downloads and installs the legitimate Deno runtime onto the victim machine. Because the user voluntarily executes the command themselves, browser-based security filters are bypassed.

Observable detection signal: Browser processes spawning msiexec — monitor for any instance where a browser (chrome.exe, msedge.exe, firefox.exe) invokes msiexec directly.

Phase 2: Deno-Based Fileless Loader

Rather than deploying a custom binary (which would be flagged by AV/EDR), LeakNet installs the legitimate, digitally-signed Deno runtime and uses it as a living-off-the-land binary (LOLBin) to execute malicious JavaScript payloads.

Loader behavior:

1. Deno decodes and executes a malicious JavaScript payload directly into system memory — creating no on-disk artifacts
2. The encrypted malware payload is concealed inside a JPEG image file using steganography
3. The payload is decoded from the image and reflectively loaded into memory, bypassing file-scanning security tools
4. Deno scripts follow a naming convention: PowerShell files named Romeo*.ps1, VBScript files named Juliet*.vbs

Phase 3: Post-Exploitation Chain

Once the Deno loader delivers the second-stage payload, LeakNet executes the following post-exploitation sequence:

Impact Assessment

Indicators of Compromise

Tor Infrastructure:

Behavioral IOCs:

• deno.exe executing outside known development environments
• Browser processes spawning msiexec
• jli.dll sideloaded via Java from C:\ProgramData\USOShared
• klist execution in unusual process context
• PsExec usage without matching change management records
• Unexpected outbound connections to S3 buckets
• PowerShell scripts matching Romeo*.ps1 / VBScript matching Juliet*.vbs

Detection and Response Recommendations

For Security Operations Teams

1. Alert on Deno outside dev environments — deno.exe has no legitimate business use on corporate endpoints; any execution should trigger immediate investigation
2. Monitor browser-to-msiexec process chains — this is a reliable ClickFix detection signal
3. Hunt for jli.dll sideloading — specifically in C:\ProgramData\USOShared and other non-standard directories
4. Alert on klist execution — Kerberos ticket enumeration outside normal IT admin workflows is a lateral movement precursor
5. Baseline and alert on PsExec usage — any PsExec invocation without a correlated change record warrants immediate review
6. Monitor S3 outbound traffic — unexpected data transfers to S3 endpoints are an exfiltration signal

For IT Administrators

1. User awareness training — ClickFix relies entirely on users executing commands they paste from websites; train users to never run copy-pasted commands from browser prompts
2. Application whitelisting — block Deno from executing on endpoints where it is not an approved application
3. Script block logging — enable PowerShell ScriptBlock logging to capture Romeo*.ps1 execution
4. Privileged access workstations — limit PsExec availability to dedicated admin workstations
5. Network segmentation — limit east-west movement capabilities to contain post-compromise lateral spread

Key Takeaways

1. LeakNet is a double-extortion ransomware group active since November 2024, now significantly increasing its technical sophistication with ClickFix + Deno-based fileless attacks
2. ClickFix remains one of the most effective initial access techniques because it weaponizes user trust and bypasses browser-based security by having the victim execute the command themselves
3. The use of the legitimate Deno runtime as a LOLBin combined with steganographic JPEG payloads represents a deliberate effort to evade both signature-based and behavioral detection
4. deno.exe executing on a corporate endpoint should be treated as a high-confidence indicator of compromise unless explicitly authorized
5. The group's Tor-based infrastructure and dual-exfiltration model (Tor + S3) makes C2 blocking difficult without comprehensive egress filtering
6. Organizations in healthcare, finance, and insurance face the highest risk given LeakNet's documented victim selection pattern and the regulatory implications of data exfiltration in these sectors

Sources

• LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks — BleepingComputer
• CastleRAT: First attack to abuse Deno JavaScript runtime — ThreatDown/Malwarebytes
• LeakNet Ransomware Tracker — WatchGuard
• LeakNet group profile — RansomLook