In a striking evolution of the ClickFix scam trend, cybercriminals have ingeniously combined human-verification social engineering with the Windows search protocol to deploy MetaStealer, a notorious infostealer adept at pilfering credentials and exfiltrating sensitive data.
While this attack may initially appear to echo traditional ClickFix and FileFix strategies, its distinctive infection chain—from a counterfeit AnyDesk installer to an MSI package masquerading as a PDF—highlights the increasing sophistication of these “fix” variants.
The assault commences when a target, in search of the legitimate AnyDesk remote-access tool, inadvertently lands on a phishing page at anydeesk[.]ink/download/anydesk.html. This page features a deceptive Cloudflare Turnstile human-verification prompt, designed to ensnare unsuspecting users.
Upon deobfuscating the page’s JavaScript, victims are redirected to verification.anydeesk[.]ink/reCAPTCHA-v2.php. Here, clicking the verification box initiates a Windows File Explorer exploit, diverging from the typical PowerShell or Run dialog executions seen in ClickFix campaigns.
Rather than instructing users to input commands into the Run dialog or the File Explorer address bar, the phishing page cleverly utilizes the search-ms URI scheme. This method displays a custom search query name as part of the search-ms URI protocol, further enhancing the attack’s stealth.
When victims click “verify,” their browser triggers Windows File Explorer, which automatically opens a custom search query defined by the displayname parameter in the search-ms URI. This query discreetly connects to an attacker-controlled SMB share, presenting the user with what appears to be a PDF titled Readme AnyDesk.pdf.
Disguised LNK Shortcut Snags Hostnames
However, lurking behind the façade of a PDF is a malicious Windows shortcut (LNK) file. Executing this shortcut initiates two simultaneous actions: it silently downloads the legitimate AnyDesk installer via Microsoft Edge—likely to create an illusion of a genuine application installation—and retrieves a so-called “PDF” from chat1[.]store into a temporary directory.
Notably, the “PDF” installer leverages the victim’s %COMPUTERNAME% environment variable to construct its download URL, thereby capturing the hostname without the need for prior configuration in each campaign.
An analysis of the chat1[.]store server, accessed through a curl user agent, unveiled the complete MSI package. Within this package, a CustomActionDLL and a compressed CAB archive (Binary.bz.WrappedSetupProgram) contain two critical malicious components: a cleanup JavaScript (1.js) and ls26.exe, the MetaStealer dropper.
The “solution” presented to victims involves copying and pasting a command provided through an attacker-controlled prompt, which discreetly initiates the attack chain.
Protected by Private EXE Protector, ls26.exe operates similarly to known MetaStealer samples, scanning for browser credentials, cryptocurrency wallet files, and document stores before exfiltration occurs.
Although this attack retains familiar elements of traditional ClickFix and FileFix lures—specifically, social engineering prompts disguised as CAPTCHA—the transition to search-ms URIs and SMB shares signifies a notable advancement in tactics. Unlike ClickFix, which prompts users to paste commands into the Run dialog, and FileFix, which exploits the File Explorer address bar, this new variant effectively circumvents user suspicion by presenting a familiar Remote Desktop installation alongside a malicious installer.
Defensive Measures and User Education
Organizations that have successfully mitigated classic ClickFix threats by disabling or restricting the Windows Run dialog may still find themselves vulnerable to search-ms-based lures. To enhance defenses, it is advisable to:
- Enforce strict application whitelisting to prevent unauthorized script execution and MSI installations.
- Monitor and restrict Windows protocol handlers like search-ms from accessing untrusted SMB shares.
- Educate users to be skeptical of unsolicited CAPTCHAs or verification prompts that request any level of command execution or file opening.
- Deploy endpoint detection rules to flag unexpected launches of msiexec.exe, cmd.exe downloads, and SMB share connections to unfamiliar hosts.
As threat actors continue to refine “fix”-style attacks, the integration of legitimate features with social engineering tactics will remain a formidable evasion strategy. Ongoing user training and layered technical controls are crucial to identifying and disrupting these evolving infection chains before they can deploy infostealers like MetaStealer.
IOCs
| Indicator | Description |
| https[://]anydeesk[.]ink/download/anydesk[.]html | Domain with fake Cloudflare Turnstile |
| macawiwmaacckuow[.]xyz | MetaStealer C2 Domain |
| yeosyyyaewokgioa[.]xyz | MetaStealer C2 Domain |
| cmqsqomiwwksmcsw[.]xyz | MetaStealer C2 Domain |
| 38[.]134[.]148[.]74 | MetaStealer C2 IP Address |
| ls26.exe SHA256 0fc76b7f06aa80a43abafc1e9b88348734e327feb306d700c877c6a210fbd5e7 |
MetaStealer dropper PE |
| CustomActionDLL SHA256 fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1 |
File found in MSI package |
| Binary.bz.WrappedSetupProgram SHA256 513992d7076984d5c5a42affc12b6a00eef820f3254af75c9958ef3310190317 |
CAB file containing malicious components |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
