{
  "name": "Casting a Wider Net: Scaling Threat",
  "slug": "casting-a-wider-net-scaling-threat",
  "description": "LeakNet, a ransomware operator, has expanded its initial access methods by utilizing ClickFix lures on compromised websites and implementing a new Deno-based, in-memory loader. The group has shifted from relying on initial access brokers to running its own campaigns. LeakNet's post-exploitation playbook remains consistent, involving jli.dll side-loading, PsExec-based lateral movement, and S3 bucket payload staging. The Deno loader executes base64-encoded payloads in memory, making detection challenging for traditional security tools. Defenders are advised to focus on behavioral signals and implement measures such as blocking newly registered domains, restricting Win-R access, and limiting PsExec usage to authorized administrators.",
  "published": "2026-03-18T09:53:13+00:00",
  "created_at": "2026-03-18T09:53:13+00:00",
  "modified_at": "2026-03-18T10:20:02+00:00",
  "created_at_opencti": "2026-03-18T09:53:13+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-18",
    "clickfix",
    "deno",
    "in-memory execution",
    "lateral movement",
    "psexec",
    "ransomware",
    "s3 bucket",
    "side-loading",
    "social engineering"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "144.31.2.161"
      },
      {
        "id": "",
        "name": "144.31.224.98"
      },
      {
        "id": "",
        "name": "87.121.79.25"
      },
      {
        "id": "",
        "name": "194.31.223.42"
      },
      {
        "id": "",
        "name": "144.31.54.243"
      }
    ],
    "intrusion_sets": [
      {
        "id": "4d3b014d-6694-4fc9-9c06-dd3311fff48b",
        "name": "LeakNet",
        "slug": "leaknet"
      }
    ],
    "attack_patterns": [
      {
        "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3",
        "name": "T1021.002"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "840f859f-575f-487e-8083-6ffd01a13a84",
        "name": "T1218.007"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "fe6f2946-a01e-460c-9636-8c48b45dd0e6",
        "name": "T1189"
      },
      {
        "id": "2fca0274-42fc-483e-a1e3-d9c4ba687d2d",
        "name": "T1574.001"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "neremedysoft.com"
      },
      {
        "id": "",
        "name": "delhedghogeggs.com"
      },
      {
        "id": "",
        "name": "cnoocim.com"
      },
      {
        "id": "",
        "name": "okobojirent.com"
      },
      {
        "id": "",
        "name": "apiclofront.com"
      },
      {
        "id": "",
        "name": "windowallclean.com"
      },
      {
        "id": "",
        "name": "mshealthmetrics.com"
      },
      {
        "id": "",
        "name": "verify-safeguard.top"
      },
      {
        "id": "",
        "name": "tools.usersway.net"
      },
      {
        "id": "",
        "name": "crahdhduf.com"
      },
      {
        "id": "",
        "name": "sendtokenscf.com"
      },
      {
        "id": "",
        "name": "serialmenot.com"
      }
    ]
  },
  "external_refs": [
    "https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat",
    "https://otx.alienvault.com/pulse/69ba8419321e1d3c9be7c4cc"
  ]
}