LeakNet Ransomware Deploys Deno Runtime via ClickFix for In‑Memory Execution, Evading Detection
What Happened – LeakNet ransomware now leverages the ClickFix social‑engineering technique to trick users into launching the legitimate Deno JavaScript/TypeScript runtime. Deno is used as a “bring‑your‑own‑runtime” loader that decodes and runs malicious code directly in memory, leaving minimal on‑disk artifacts.
Why It Matters for TPRM –
- The use of a signed, trusted binary (Deno) bypasses many traditional blocklists, increasing the chance of a successful third‑party breach.
- In‑memory execution reduces forensic visibility, making incident response and post‑mortem analysis harder for client organizations.
- The attack chain includes credential discovery, lateral movement (PsExec) and data exfiltration to Amazon S3, exposing sensitive data across supply‑chain boundaries.
Who Is Affected – enterprises across technology, finance, healthcare, manufacturing, and professional services that allow developer tools (e.g., Deno) on employee workstations or servers.
Recommended Actions –
- Inventory and restrict the installation of non‑essential runtimes such as Deno on production endpoints.
- Enforce application allow‑list policies that require signed binaries to be executed only from approved directories.
- Deploy behavioral monitoring for abnormal Deno processes, PowerShell/VBS scripts with suspicious naming (e.g., Romeo.ps1, Juliet.vbs), and unexpected outbound traffic to cloud storage (S3).
- Conduct a review of third‑party risk for any vendors that supply development environments or CI/CD pipelines that might introduce Deno.
Technical Notes – Attack vector: ClickFix (phishing‑style prompt) → VBS/PowerShell → legitimate Deno runtime → in‑memory JavaScript payload. Post‑exploitation includes DLL sideloading (jli.dll), credential enumeration via klist, lateral movement with PsExec, and data exfiltration via abused Amazon S3 buckets. Source: BleepingComputer