LeakNet ransomware gang ClickFix and Deno in-memory loader activity
Malware Activity
Summary
Hide ▲
Show ▼
The LeakNet ransomware gang has adopted ClickFix initial access and a Deno-based loader that executes malicious code in memory, making intrusions harder to detect and investigate. The chain uses **Romeo*.ps1 and Juliet*.vbs scripts and can progress to DLL sideloading, PsExec lateral movement, and Amazon S3 abuse. LeakNet has been active since end of 2024 and averages around three victims per month**. The shift matters because a legitimate runtime can help the operation bypass blocklists and blend into normal developer activity.
Related Happenings
Warlock ransomware post-exploitation tooling upgrades
Malware Activity
First: 17.03.2026 17:36
Last: 17.03.2026 17:36
Sources 1
About this happening:
The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Warlock ransomware post-exploitation tooling upgrades
Malware ActivityAbout this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
LeakNet ClickFix compromised-website targeting campaign
Campaign
First: 17.03.2026 16:34
Last: 17.03.2026 16:34
Sources 1
How related:
The attacks are not confined to a specific industry vertical, instead casting a wide net to infect as many victims as possible.
About this happening:
The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...
LeakNet ClickFix compromised-website targeting campaign
CampaignHow related: The attacks are not confined to a specific industry vertical, instead casting a wide net to infect as many victims as possible.
About this happening: The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...
Hive0163 extortion and ransomware campaign using ClickFix and malvertising
Campaign
First: 12.03.2026 19:02
Last: 12.03.2026 19:02
Sources 1
About this happening:
Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...
Hive0163 extortion and ransomware campaign using ClickFix and malvertising
CampaignAbout this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...
SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment
Malware Activity
First: 05.03.2026 14:01
Last: 05.03.2026 14:01
Sources 1
About this happening:
A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...
SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment
Malware ActivityAbout this happening: A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...
RESTLEAF malware stack using Zoho WorkDrive C2 and removable media
Malware Activity
First: 27.02.2026 14:43
Last: 27.02.2026 14:43
Sources 1
About this happening:
A **ScarCruft** malware stack built around **RESTLEAF** uses **Zoho WorkDrive** for C2 and **removable media** to reach **air-gapped systems**, expanding surveillance and exfiltra...
RESTLEAF malware stack using Zoho WorkDrive C2 and removable media
Malware ActivityAbout this happening: A **ScarCruft** malware stack built around **RESTLEAF** uses **Zoho WorkDrive** for C2 and **removable media** to reach **air-gapped systems**, expanding surveillance and exfiltra...
Latest development: 27.02.2026 21:21
APT37's Ruby Jumper campaign uses a malicious Windows shortcut file (LNK) and PowerShell to load RESTLEAF, then adds a Ruby-based loader, SNAKEDROPPER, plus THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to move data between internet-connected and air-gapped systems. The tooling relies on Zoho WorkDrive C2, installs a disguised Ruby 3.3.0 runtime as usbspeed.exe, modifies RubyGems operating_system.rb, and weaponizes removable drives to relay commands, stage files, exfiltrate data, and spread to new air-gapped machines.
Timeline
-
17.03.2026 14:09 2 articles · 2mo ago
LeakNet uses ClickFix and Deno loader
Initial DisclosureLeakNet ransomware is using ClickFix to gain initial access into corporate environments and a Deno-based loader to decode and execute malicious JavaScript in system memory. The observed chain relies on the legitimate signed Deno runtime to reduce disk artifacts and detection, can be initiated through Visual Basic Script and PowerShell files named Romeo*.ps1 and Juliet*.vbs, and may progress to DLL sideloading via jli.dll in C:\ProgramData\USOShared, klist credential discovery, PsExec lateral movement, C2 beaconing, and Amazon S3 abuse for staging and exfiltration.
Show sources
- LeakNet ransomware uses ClickFix and Deno runtime for stealthy attacks — www.bleepingcomputer.com — 17.03.2026 14:09
- LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader — thehackernews.com — 17.03.2026 16:34