On September 2, 2025, threat actors unveiled a groundbreaking method for distributing the MetaStealer malware in what has been identified as the AnyDesk ClickFix campaign. This operation exploited vulnerabilities in Windows Search functionalities and employed clever social engineering via phishing techniques.
Phishing Page Deception
The campaign commenced with victims being led to a realistic-looking phishing page located at anydeesk[.]ink/download/anydesk[.]html. This site tricked users with a fake Cloudflare Turnstile prompt. Upon clicking 'verify,' unsuspecting victims were redirected through obfuscated JavaScript to a reCAPTCHA page. This action utilized the search-ms URI scheme, which opened a custom Windows File Explorer query.
This query stealthily connected to an attacker-controlled SMB share. Here, victims were presented with a deceptive Readme AnyDesk.pdf, which was, in fact, a malicious LNK shortcut. Once executed, the LNK would quietly download the legitimate AnyDesk installer along with a fake 'PDF' MSI from chat1[.]store, placing them in a temporary directory.
Malware Execution and Data Harvesting
The MSI file crafted download URLs using the victim’s %COMPUTERNAME%, enabling MetaStealer to harvest hostnames effectively. Contained within the MSI, a CustomActionDLL and a compressed CAB file (Binary.bz.WrappedSetupProgram) unpacked necessary components: a cleanup JavaScript file (1.js) and ls26.exe, the primary MetaStealer dropper.
Protected by the Private EXE Protector, ls26.exe mimicked behaviors of existing MetaStealer variants. It scanned for crucial data, including browser credentials, cryptocurrency wallet files, and document stores, executing its data exfiltration in a covert manner. What distinguishes this variant is its use of search-ms URIs and SMB shares, allowing it to bypass typical Run-dialog restrictions while implanting both a functional Remote Desktop installer and the malicious package.
Proactive Defense Measures
In light of this sophisticated attack, experts suggest several defensive strategies. Organizations are advised to enforce application whitelisting to block unauthorized scripts and MSI installations. Additionally, it's crucial to monitor and restrict the usage of Windows protocol handlers like search-ms, preventing their access to untrusted SMB shares.
User education plays a vital role; individuals should be wary of unsolicited CAPTCHA or verification prompts, especially those requesting command execution or file openings. Likewise, implementing endpoint detection rules to flag unusual occurrences of msiexec.exe, cmd.exe launches, and SMB connections to unfamiliar hosts could significantly mitigate such risks.
This incident, reported by Mayura Kathir of GBHackers News, underscores the ever-evolving landscape of cybersecurity threats and the importance of staying vigilant against deception and exploitation techniques that leverage seemingly benign tools and interfaces.
