Malik Haidar stands at the front lines of corporate defense, bringing years of experience in dismantling the strategies used by high-level threat actors to infiltrate multinational networks. With a background that merges deep technical intelligence with business-centric security strategy, he has a unique ability to translate complex exploitation chains into actionable defense frameworks. Today, he joins us to discuss the evolving tactics of groups like LeakNet, focusing on their shift toward social engineering, in-memory execution, and the exploitation of trusted cloud environments.
Summarizing the core themes of our discussion, we explore the rise of ClickFix social engineering and its impact on traditional network filtering. We also examine the technical sophistication of Deno-based loaders that bypass disk scans and the strategic shift away from initial access brokers toward compromising legitimate websites. Finally, Malik provides insights into the operational speed of modern attackers and the changing landscape of ransomware targeting.
Threat actors are now using fake CAPTCHA prompts to trick users into running system commands manually. How does this method circumvent standard email filters, and what specific technical controls or training can prevent employees from pasting malicious strings into the Windows Run dialog?
The ClickFix tactic is particularly insidious because it completely sidesteps the traditional perimeter where email filters and secure web gateways operate. Since the “malicious” content isn’t a file attachment or a direct link to a virus, but rather a set of instructions for the human user, there is no signature for a filter to catch. The user is on a legitimate, albeit compromised, website and manually types a command like “msiexec.exe” into their own Windows Run dialog, which the operating system trusts implicitly. To counter this, organizations must implement technical restrictions on the use of administrative tools by non-privileged users and use Attack Surface Reduction rules to block the execution of suspicious scripts. Training needs to evolve beyond “don’t click links” to a more nuanced understanding of why a website would ever ask a user to manually run a system command, emphasizing that no legitimate CAPTCHA or update requires a copy-paste into a terminal.
The use of the Deno JavaScript runtime as a loader allows for executing payloads directly in memory. Why is this “bring your own runtime” strategy so effective at evading disk-based scans, and what behavior-based signals should security analysts look for to identify active, in-memory polling loops?
The “bring your own runtime” strategy works because Deno is a legitimate, signed executable that security software often views as a benign developer tool rather than a threat. By using Deno to execute Base64-encoded JavaScript directly in memory, attackers ensure that no malicious binaries ever touch the physical disk, leaving traditional antivirus scanners with nothing to find. To catch this, analysts must pivot from file-based detection to behavioral monitoring, looking specifically for an unusual process tree where a runtime like Deno is spawning shells or making persistent outbound network calls. We look for “polling loops,” which are rhythmic, repetitive network beacons to an external C2 server that occur as the loader checks for new instructions. These signals are often characterized by a consistent heartbeat—a fingerprint of the malware’s attempt to stay alive and wait for the next stage of the attack without generating large, noisy bursts of traffic.
Some ransomware groups are bypassing initial access brokers in favor of compromising legitimate websites to host their exploits. How does this shift affect the cost-benefit analysis for the attackers, and what unique challenges does it create for defenders who can no longer rely on blacklists of malicious domains?
Moving away from initial access brokers is a brilliant move for a group’s bottom line because it eliminates the middleman and the associated “acquisition cost” for a victim. When LeakNet compromises a legitimate site, they gain a high-trust platform that doesn’t trigger the red flags associated with a fresh, “burner” domain. For defenders, this is a nightmare scenario because we cannot simply blacklist the entire internet; a user visiting a trusted industry news site or a local government page won’t trigger any alerts until the exploitation is already underway. This shift forces us to move toward “zero trust” at the browser level, where we treat every external site as a potential delivery vehicle for social engineering. It demands a much more granular level of inspection, focusing on the behavior of the web page itself, such as unauthorized attempts to trigger system prompts or suspicious script executions.
After gaining access, attackers often run the “klist” command to view active credentials before moving laterally via PsExec. What does this tell us about their operational speed, and how can monitoring S3 bucket traffic help identify data exfiltration that might otherwise blend into normal cloud usage?
When an attacker runs “cmd.exe /c klist,” it is a clear indicator that they are moving with high operational velocity and don’t want to waste time on brute-forcing new accounts. By viewing active authentication tickets, they can see exactly which services and machines they can already access, allowing them to leapfrog across the network with surgical precision using tools like PsExec. To hide the subsequent theft of data, they often use S3 buckets for exfiltration because many modern businesses already move gigabytes of data to AWS daily, making the malicious traffic look like a routine backup or sync. Security teams must implement strict monitoring for S3 “PutObject” actions coming from unexpected internal IP addresses or at unusual times. Seeing a sudden spike of 50GB of data moving to an external, non-corporate S3 bucket from a workstation that usually only handles emails is the “smoking gun” that signals a breach is in its final, most damaging stage.
Modern intrusions increasingly prioritize high-volume attacks against smaller organizations rather than “big game hunting.” What specific weaknesses in common VPN and firewall configurations are being targeted to facilitate this, and how can resource-constrained teams build a resilient defense against such automated exploitation?
The pivot toward smaller organizations is a response to the hardening of massive enterprises; attackers now realize that ten smaller victims can be just as profitable as one giant one, but with significantly less risk. Recent data shows that a third of these incidents stem from exploiting known vulnerabilities in common VPNs and firewalls that haven’t been patched or are still using default, weak configurations. For a resource-constrained team, the most effective defense is radical simplification and a relentless focus on the basics: enabling multi-factor authentication on every single external gateway and ensuring that patching critical infrastructure is an automated, non-negotiable process. They should also focus on “known behaviors,” such as blocking the specific lateral movement tools like PsExec if they aren’t required for daily operations, effectively breaking the attacker’s repeatable post-exploitation sequence.
What is your forecast for ransomware trends?
I expect to see a continued “industrialization” of the initial access phase, where social engineering tactics like ClickFix become even more automated and harder to distinguish from legitimate system notifications. While the profitability of targeting giant corporations may be dipping slightly, the overall extortion ecosystem is showing incredible resilience, with data theft now occurring in roughly 77% of all ransomware intrusions. We will likely see more “brand-name” ransomware groups, like the current top ten including Qilin and Akira, adopting these “bring your own runtime” methods to ensure their payloads remain invisible to legacy defenses. The future of defense won’t be about building higher walls, but about developing the internal visibility to see when a legitimate tool is being used for a malicious purpose, effectively catching the intruder while they are still trying to find their footing in the network.
