Find notable cyber news and cases, enriched with sources, timelines, and signals.

LeakNet ransomware gang ClickFix and Deno in-memory loader activity

Malware Activity
First reported
Last updated
Happening score
H score 23
2 unique sources, 2 articles

Summary

Hide ▲

The LeakNet ransomware gang has adopted ClickFix initial access and a Deno-based loader that executes malicious code in memory, making intrusions harder to detect and investigate. The chain uses **Romeo*.ps1 and Juliet*.vbs scripts and can progress to DLL sideloading, PsExec lateral movement, and Amazon S3 abuse. LeakNet has been active since end of 2024 and averages around three victims per month**. The shift matters because a legitimate runtime can help the operation bypass blocklists and blend into normal developer activity.

Related Happenings

OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading

Malware Activity
H score20 First: 22.06.2026 16:20 Last: 22.06.2026 16:20 Sources 1

About this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...

Warlock ransomware post-exploitation tooling upgrades

Malware Activity
H score38 First: 17.03.2026 17:36 Last: 17.03.2026 17:36 Sources 1

About this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...

LeakNet ClickFix compromised-website targeting campaign

Campaign
H score33 First: 17.03.2026 16:34 Last: 17.03.2026 16:34 Sources 1

How related: The attacks are not confined to a specific industry vertical, instead casting a wide net to infect as many victims as possible.

About this happening: The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...

Hive0163 extortion and ransomware campaign using ClickFix and malvertising

Campaign
H score35 First: 12.03.2026 19:02 Last: 12.03.2026 19:02 Sources 1

About this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...

SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment

Malware Activity
H score18 First: 05.03.2026 14:01 Last: 05.03.2026 14:01 Sources 1

About this happening: A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...

Timeline

  1. 17.03.2026 14:09 2 articles · 3mo ago

    LeakNet uses ClickFix and Deno loader

    Initial Disclosure

    LeakNet ransomware is using ClickFix to gain initial access into corporate environments and a Deno-based loader to decode and execute malicious JavaScript in system memory. The observed chain relies on the legitimate signed Deno runtime to reduce disk artifacts and detection, can be initiated through Visual Basic Script and PowerShell files named Romeo*.ps1 and Juliet*.vbs, and may progress to DLL sideloading via jli.dll in C:\ProgramData\USOShared, klist credential discovery, PsExec lateral movement, C2 beaconing, and Amazon S3 abuse for staging and exfiltration.

    Show sources