LeakNet ClickFix compromised-website targeting campaign
Campaign
Summary
Hide ▲
Show ▼
The LeakNet ransomware operation has shifted to ClickFix delivery through compromised websites, broadening its initial access playbook and making compromise harder to spot. Victims are steered into fake CAPTCHA checks and told to run msiexec.exe from the Windows Run dialog, turning a routine action into code execution. The operation also uses a Deno-based in-memory loader and a repeatable post-exploitation sequence that can lead to PsExec movement, S3 staging and exfiltration, and encryption.
Related Happenings
ClickFix attacks with PySoxy scheduled-task persistence
Malware Activity
First: 12.05.2026 15:00
Last: 12.05.2026 15:00
Sources 1
About this happening:
Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
ClickFix attacks with PySoxy scheduled-task persistence
Malware ActivityAbout this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
LeakNet ransomware gang ClickFix and Deno in-memory loader activity
Malware Activity
First: 17.03.2026 14:09
Last: 17.03.2026 14:09
Sources 1
How related:
The ransomware operation known as LeakNet has adopted the ClickFix social engineering tactic delivered through compromised websites as an initial access method.
About this happening:
The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...
LeakNet ransomware gang ClickFix and Deno in-memory loader activity
Malware ActivityHow related: The ransomware operation known as LeakNet has adopted the ClickFix social engineering tactic delivered through compromised websites as an initial access method.
About this happening: The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
Campaign
First: 11.03.2026 16:45
Last: 11.03.2026 16:45
Sources 1
About this happening:
A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
CampaignAbout this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware Activity
First: 20.02.2026 13:55
Last: 20.02.2026 13:55
Sources 1
About this happening:
The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware ActivityAbout this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
ClickFix DNS-based nslookup staging campaign
Campaign
First: 15.02.2026 16:10
Last: 15.02.2026 16:10
Sources 1
About this happening:
The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
ClickFix DNS-based nslookup staging campaign
CampaignAbout this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
Timeline
-
17.03.2026 16:34 2 articles · 2mo ago
LeakNet adopts ClickFix through compromised websites and a Deno loader
Initial DisclosureLeakNet is described as using ClickFix social engineering delivered through compromised websites, fake CAPTCHA checks, and a `msiexec.exe` command in the Windows Run dialog to gain initial access, then a staged Deno JavaScript runtime loader to execute Base64-encoded JavaScript in memory. The post-compromise sequence is said to continue through DLL side-loading, PsExec lateral movement, S3 buckets for staging and exfiltration, and encryption.
Show sources
- LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader — thehackernews.com — 17.03.2026 16:34
- LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader — thehackernews.com — 17.03.2026 16:34