LeakNet Ransomware Deploys Deno In‑Memory Loader via ClickFix Social Engineering on Compromised Websites
What Happened — LeakNet ransomware has adopted the ClickFix technique, delivering malicious command prompts through compromised public‑facing websites. Victims are tricked into manually running commands to “fix” a non‑existent error, after which a Deno‑based in‑memory loader executes the ransomware payload.
Why It Matters for TPRM —
- ClickFix bypasses credential‑theft attacks, expanding the initial‑access surface for ransomware.
- In‑memory execution using Deno evades many traditional file‑based endpoint detections.
- Any third‑party web asset (partner portals, SaaS front‑ends) can become a delivery vector, increasing supply‑chain risk.
Who Is Affected — All sectors with internet‑exposed applications, especially SaaS providers, MSP/MSSP customers, and organizations that host public web portals.
Recommended Actions — Review and harden web‑application security controls; implement continuous integrity monitoring of public sites; educate users to never execute ad‑hoc commands from browsers; deploy behavior‑based EDR capable of detecting in‑memory loaders; verify that third‑party web services are regularly scanned for compromise.
Technical Notes — Attack vector: compromised websites delivering ClickFix social‑engineering prompts; Loader: Deno runtime executing ransomware entirely in memory; No specific CVE referenced; Data encrypted on host, potential credential exfiltration. Source: https://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.html