LeakNet ransomware gang ClickFix and Deno in-memory loader activity
Malware Activity
Summary
Hide ▲
Show ▼
The LeakNet ransomware gang has adopted ClickFix initial access and a Deno-based loader that executes malicious code in memory, making intrusions harder to detect and investigate. The chain uses **Romeo*.ps1 and Juliet*.vbs scripts and can progress to DLL sideloading, PsExec lateral movement, and Amazon S3 abuse. LeakNet has been active since end of 2024 and averages around three victims per month**. The shift matters because a legitimate runtime can help the operation bypass blocklists and blend into normal developer activity.
Related Happenings
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
Warlock ransomware post-exploitation tooling upgrades
Malware Activity
H score38
First: 17.03.2026 17:36
Last: 17.03.2026 17:36
Sources 1
About this happening:
The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Warlock ransomware post-exploitation tooling upgrades
Malware ActivityAbout this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
LeakNet ClickFix compromised-website targeting campaign
Campaign
H score33
First: 17.03.2026 16:34
Last: 17.03.2026 16:34
Sources 1
How related:
The attacks are not confined to a specific industry vertical, instead casting a wide net to infect as many victims as possible.
About this happening:
The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...
LeakNet ClickFix compromised-website targeting campaign
CampaignHow related: The attacks are not confined to a specific industry vertical, instead casting a wide net to infect as many victims as possible.
About this happening: The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...
Hive0163 extortion and ransomware campaign using ClickFix and malvertising
Campaign
H score35
First: 12.03.2026 19:02
Last: 12.03.2026 19:02
Sources 1
About this happening:
Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...
Hive0163 extortion and ransomware campaign using ClickFix and malvertising
CampaignAbout this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...
SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment
Malware Activity
H score18
First: 05.03.2026 14:01
Last: 05.03.2026 14:01
Sources 1
About this happening:
A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...
SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment
Malware ActivityAbout this happening: A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...
Timeline
-
17.03.2026 14:09 2 articles · 3mo ago
LeakNet uses ClickFix and Deno loader
Initial DisclosureLeakNet ransomware is using ClickFix to gain initial access into corporate environments and a Deno-based loader to decode and execute malicious JavaScript in system memory. The observed chain relies on the legitimate signed Deno runtime to reduce disk artifacts and detection, can be initiated through Visual Basic Script and PowerShell files named Romeo*.ps1 and Juliet*.vbs, and may progress to DLL sideloading via jli.dll in C:\ProgramData\USOShared, klist credential discovery, PsExec lateral movement, C2 beaconing, and Amazon S3 abuse for staging and exfiltration.
Show sources
- LeakNet ransomware uses ClickFix and Deno runtime for stealthy attacks — www.bleepingcomputer.com — 17.03.2026 14:09
- LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader — thehackernews.com — 17.03.2026 16:34