{ "Event": { "analysis": "1", "date": "2026-03-17", "extends_uuid": "", "info": "[Threat Intel] Casting a Wider Net: Scaling Threat", "protected": false, "publish_timestamp": "1775231567", "published": true, "threat_level_id": "2", "timestamp": "1775231567", "uuid": "ac62fbd4-3fd3-4dcf-94ed-a5d093d46cb8", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#256f6a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL - T1574.001\"", "relationship_type": "" }, { "colour": "#7eb739", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Msiexec - T1218.007\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Drive-by Compromise - T1189\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"leaknet\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Copy and Paste - T1204.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Reflective Code Loading - T1620\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773889235", "to_ids": false, "type": "link", "uuid": "f7a72775-10de-4ddc-8861-d0f9d3cd0ed0", "value": "https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773889235", "to_ids": false, "type": "text", "uuid": "34b4a600-db88-4b8f-a055-3773ed9beeac", "value": "LeakNet, a ransomware operator, has expanded its initial access methods by utilizing ClickFix lures on compromised websites and implementing a new Deno-based, in-memory loader. The group has shifted from relying on initial access brokers to running its own campaigns. LeakNet's post-exploitation playbook remains consistent, involving jli.dll side-loading, PsExec-based lateral movement, and S3 bucket payload staging. The Deno loader executes base64-encoded payloads in memory, making detection challenging for traditional security tools. Defenders are advised to focus on behavioral signals and implement measures such as blocking newly registered domains, restricting Win-R access, and limiting PsExec usage to authorized administrators." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773889235", "to_ids": false, "type": "text", "uuid": "ba05c5df-edbc-4a6b-9257-263688ea1420", "value": "Name: Casting a Wider Net: Scaling Threat\nAuthor: AlienVault\nAdversary: LeakNet\nTags: [\"side-loading\", \"s3 bucket\", \"lateral movement\", \"clickfix\", \"deno\", \"social engineering\", \"in-memory execution\", \"ransomware\", \"psexec\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1059.007\", \"T1574.001\", \"T1218.007\", \"T1021.002\", \"T1102.002\", \"T1189\", \"T1071.001\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773889235", "to_ids": false, "type": "threat-actor", "uuid": "02951402-ee58-4c40-83ac-6745ed698caa", "value": "LeakNet" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229550", "to_ids": true, "type": "ip-dst", "uuid": "8e22e8cc-2828-4676-8355-b4217ab02aea", "value": "144.31.2.161", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229571", "to_ids": true, "type": "ip-dst", "uuid": "d9491515-b6a8-42c3-98bf-6267d30a866b", "value": "144.31.224.98", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229592", "to_ids": true, "type": "ip-dst", "uuid": "cbdc8ab3-0ee9-41d2-a292-3c5e746cb794", "value": "144.31.54.243", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229613", "to_ids": true, "type": "ip-dst", "uuid": "10047b09-141d-427f-a995-23d75205e0f8", "value": "194.31.223.42", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229634", "to_ids": true, "type": "ip-dst", "uuid": "a3d845c6-985b-47f7-8884-9880b32c2f2d", "value": "87.121.79.25", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229656", "to_ids": true, "type": "domain", "uuid": "af97aa90-01f1-4dd8-8ce2-be678a14baca", "value": "apiclofront.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229677", "to_ids": true, "type": "domain", "uuid": "fd46afcc-c522-4582-a0b8-d940072e2268", "value": "cnoocim.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229698", "to_ids": true, "type": "domain", "uuid": "cfd5736a-af47-4408-a337-f832a5f87a89", "value": "crahdhduf.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229719", "to_ids": true, "type": "domain", "uuid": "4d2b95cf-4118-474a-bba0-1e786c45b681", "value": "delhedghogeggs.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229741", "to_ids": true, "type": "domain", "uuid": "5386e4e9-3bc0-4515-801e-1b7fca8bdec3", "value": "mshealthmetrics.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229764", "to_ids": true, "type": "domain", "uuid": "b5375ed3-6441-4749-847c-af9a3ada9108", "value": "neremedysoft.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229785", "to_ids": true, "type": "domain", "uuid": "b5e8b747-2923-4495-a00b-4d5f4d3c0d43", "value": "okobojirent.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229806", "to_ids": true, "type": "domain", "uuid": "14b59ce7-499c-4347-b3a2-cd399ff3666f", "value": "sendtokenscf.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229828", "to_ids": true, "type": "domain", "uuid": "c3346e31-6b98-43a2-b25e-badf18dcf17f", "value": "serialmenot.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229849", "to_ids": true, "type": "domain", "uuid": "46713476-5079-45f6-b033-ac13e094e453", "value": "verify-safeguard.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229871", "to_ids": true, "type": "domain", "uuid": "df29630c-24f1-4569-9336-3a4edc694b1f", "value": "windowallclean.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229893", "to_ids": true, "type": "hostname", "uuid": "2628e822-7e6e-4779-9741-647217bb13bc", "value": "tools.usersway.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Clickfix Domain", "deleted": false, "disable_correlation": false, "timestamp": "1775229914", "to_ids": true, "type": "domain", "uuid": "2266a58a-0d72-40e3-ba9c-7a9affe4eadd", "value": "binclloudapp.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229935", "to_ids": true, "type": "domain", "uuid": "37b5bc62-43e3-4f05-9e38-80ffede826e8", "value": "ndibstersoft.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Deno C2 IP Address", "deleted": false, "disable_correlation": false, "timestamp": "1775229956", "to_ids": true, "type": "ip-dst", "uuid": "90dce81d-f8ad-47e3-afdb-5db806f0e05d", "value": "87.121.79.6", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775229978", "to_ids": true, "type": "hostname", "uuid": "9c09195c-7199-4a78-8af0-3e2358faa00f", "value": "fastdlvrss.s3.us-east-1.amazonaws.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Malicious S3 Bucket", "deleted": false, "disable_correlation": false, "timestamp": "1775229999", "to_ids": true, "type": "hostname", "uuid": "92a817e2-7de2-4d04-a66d-6b8dd362316b", "value": "backupdailyawss.s3.us-east-1.amazonaws.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Deno C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1775230020", "to_ids": true, "type": "domain", "uuid": "74c00dd3-8e00-4e39-b8c9-522fb7b82860", "value": "weaplink.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }