Trending Topics

LeakNet Expands Initial Access with ClickFix and Fileless Deno Loader

LeakNet ransomware operations are evolving toward greater independence, scalability, and stealth, marked by the adoption of ClickFix social engineering and a novel Deno-based loader. Rather than relying solely on initial access brokers, LeakNet is now generating its own entry points by embedding ClickFix lures into compromised legitimate websites, prompting users to execute malicious commands. This shift removes the need for third-party access, broadens the victim pool, and aligns with a broader trend in which opportunistic, high-volume delivery replaces targeted intrusion. Once executed, the attack transitions into a “bring your own runtime” (BYOR) model, leveraging the legitimate Deno runtime to execute base64-encoded JavaScript payloads entirely in memory. This fileless execution significantly reduces forensic artifacts and bypasses traditional signature-based defenses, as the activity appears consistent with benign developer tooling. The loader fingerprints the host, generates a unique identifier, and establishes a persistent C2 polling loop, enabling dynamic payload delivery while maintaining a low detection profile. Despite evolving initial access methods, LeakNet maintains a highly consistent post-exploitation playbook, which becomes the primary detection opportunity for defenders. Across observed incidents, the group reliably employs DLL sideloading via jli[.]dl uses klist for credential discovery, performs lateral movement via PsExec before staging payloads and exfiltrating data via Amazon S3. This reliance on legitimate tools and infrastructure allows activity to blend into normal enterprise operations while accelerating the path from initial access to ransomware deployment. The combination of fileless execution, LOLBins, and cloud-based staging reflects a broader industry shift toward behavioral evasion and living-off-the-land techniques. However, LeakNet’s operational consistency also creates a structural weakness: defenders can disrupt the attack chain by focusing on behavioral anomalies such as Deno execution outside development environments, suspicious msiexec invocation from browsers, abnormal PsExec usage, and unexpected outbound connections to S3. Organizations should prioritize behavioral detection and control abuse of legitimate tools by restricting msiexec execution from user contexts, limiting Deno and scripting runtimes to approved environments, enforcing least-privilege access to PsExec, monitoring for anomalous DLL sideloading (e.g., jli.dll in non-standard directories), and blocking or alerting on unexpected outbound connections to cloud storage services like S3.

Konni APT Expands Spear-Phishing into KakaoTalk-Based Lateral Propagation

The Konni APT group continues to evolve its intrusion operations by combining targeted spear-phishing with multi-stage malware delivery and long-term persistence. Initial access is achieved through highly tailored phishing emails themed around North Korean human rights topics, designed to align with the victim’s interests and increase execution likelihood. The attack chain begins when a victim opens a ZIP archive containing a malicious LNK file disguised as a document, which triggers PowerShell execution via cmd[.]exe, decodes embedded payloads using simple XOR obfuscation, and drops additional components from attacker-controlled infrastructure. The infection then deploys AutoIt-based remote access malware such as EndRAT, enabling full system compromise, including file management, remote shell access, and data exfiltration. The malware establishes persistence through scheduled tasks and Startup entries, deletes initial artifacts to reduce forensic visibility, and continues to pull additional payloads over time, demonstrating a modular deployment model that includes multiple RAT families for redundancy and operational flexibility. A defining characteristic of this campaign is its transition from initial compromise to trust-based lateral propagation through abuse of the KakaoTalk desktop application. After gaining unauthorized access to the victim’s active messaging session, the threat actor selectively distributes malicious files to contacts in the victim’s friend list, using North Korea-themed lure content. This approach effectively turns compromised users into intermediaries, allowing the campaign to bypass traditional perimeter defenses and spread through trusted communication channels. Additional malware, such as RftRAT and RemcosRAT, is deployed to maintain persistent access and expand surveillance capabilities, while C2 infrastructure distributed across multiple regions supports resilience and evasion. Overall, the campaign reflects a broader trend toward combining social engineering, modular malware frameworks, and account-based propagation to sustain long-term espionage operations and amplify reach beyond the initially targeted victim set. Organizations should mitigate Konni-style intrusions by enforcing strict email and attachment controls (blocking LNK/ZIP payloads and sandboxing suspicious files), disabling or restricting PowerShell and script execution for standard users, monitoring for anomalous scheduled task creation and AutoIt execution, and implementing account/session protections on messaging platforms like KakaoTalk (including session reauthentication and anomaly detection) to prevent trust-based lateral propagation.

Update: Glassworm Supply Chain Attack Backdoors Popular React Native npm Packages

A newly identified supply chain attack linked to the Glassworm campaign compromised two widely used React Native npm packages, turning routine software installs into a multi-stage malware delivery mechanism. Malicious versions of react-native-country-select @ 0.3.9 and react-native-international-phone-number@ 0.11.7 were published within minutes of each other on March 16, 2026, both embedding an identical obfuscated installer triggered via a preinstall hook. This allowed the attack to execute automatically during a standard npm install, exposing developer workstations, CI/CD pipelines, and build agents without requiring user interaction beyond dependency installation. The injected loader retrieved a second-stage payload using a Solana-based indirection technique, where transaction metadata was queried to recover a base64-encoded payload location. The campaign also included environmental checks to exclude Russian-language systems, a pattern commonly associated with financially motivated threat actors seeking to avoid local law enforcement scrutiny. The coordination, timing, and identical payloads strongly indicate a deliberate compromise of the package publisher rather than accidental dependency poisoning. Once executed, the infection chain escalates into a full credential and cryptocurrency theft operation targeting Windows systems. The final-stage payload establishes persistence via scheduled tasks and registry Run keys, deploys its own Node.js runtime to ensure execution across environments, and systematically harvests sensitive data from browser profiles and local storage. This includes extracting credentials, session data, and wallet artifacts from platforms such as MetaMask, Exodus, Atomic, Guarda, Coinomi, Trust Wallet, and others, as well as npm authentication tokens and GitHub credentials via local credential helpers. The malware uses layered delivery techniques, including AES-encrypted payloads, Google Calendar–based indirection, and staged HTTP retrievals, allowing operators to dynamically update payload delivery without modifying the original packages. Exfiltrated data is sent to attacker-controlled infrastructure, completing a stealthy, install-time compromise chain. This campaign reinforces a broader trend in software supply chain attacks, in which trusted ecosystems like npm are leveraged to gain initial access and scale credential theft across developer environments. Organizations should enforce strict dependency validation and allowlisting, block install-time script execution where possible, monitor for unexpected preinstall hooks and outbound network calls during builds, and isolate CI/CD environments to prevent credential exposure from compromised packages.