LEAKNET , the ransomware operation, has adopted the ClickFix social engineering tactic delivered through compromised websites as its initial access method, rather than relying on stolen credentials from initial access brokers. The campaign uses a staged command-and-control loader built on the Deno JavaScript runtime to execute payloads directly in memory, enabling post-exploitation activities with reduced on-disk evidence.
LeakNet first appeared in November 2024, and ReliaQuest notes that its moves include DLL side-loading to launch a malicious DLL via the loader, followed by lateral movement using PsExec, data exfiltration and encryption. The attackers also run cmd[.]exe /c klist to identify accounts and services already reachable, helping speed and precision in movement.
In these operations, legitimate-but-compromised sites are used to serve fake CAPTCHA checks that instruct users to copy and paste a “msiexec[.]exe” command into the Windows Run dialog, a method designed to evade straightforward network signals by exploiting trusted workflows. According to ReliaQuest, the campaign marks a strategic shift away from relying on IABs by leveraging ClickFix delivered through compromised websites.