LeakNet Ransomware Expands Tactics with ClickFix and Deno Loader

LeakNet Ransomware Expands Tactics with ClickFix and Deno Loader

First seen 18 Mar 2026, 12:12 UTC BleepingcomputerSecuritybrief.Co.NzGbhackersCybersecuritynewsSecuritybrief+2 88% similarity 69.5

Article Content

Browse articles
ThreatCluster

LeakNet, a ransomware group, has adopted new tactics involving ClickFix social engineering and a Deno-based fileless loader. This shift allows them to gain initial access through compromised websites, prompting users to execute malicious commands disguised as error fixes. The group has been active since late 2024 and typically averages three victims per month, but recent changes indicate a scaling up of operations. The ClickFix technique has been linked to 59% of top malware families in 2025, complicating detection efforts for defenders. The Deno loader executes malicious payloads in memory, leaving minimal forensic traces. This method utilizes legitimate developer tools to evade security measures, making it harder for organizations to detect and respond to the attacks. ReliaQuest has high confidence in linking these activities to LeakNet based on consistent infrastructure and tactics observed in recent incidents.

Key Points: • LeakNet employs ClickFix lures to trick users into executing malicious commands. • The group uses a Deno-based loader for stealthy, fileless attacks that minimize detection. • LeakNet's operations are expanding, with a notable increase in victim count and sophistication.

ThreatCluster AI

Timeline

2024-12-01
LeakNet begins operations as a ransomware group.
2025-01-01
LeakNet averages three victims per month.
2025-01-01
ClickFix technique adopted widely across ransomware groups.
2026-03-17
Bleepingcomputer reports on LeakNet's new tactics.
2026-03-18
Securitybrief articles publish findings on LeakNet's tactics.

Community

Browse all →