From a Fake AnyDesk Installer to MetaStealer

Sept. 1, 2025, 8:29 a.m.

Description

A recent attack mimicking ClickFix tactics used a fake AnyDesk installer to deploy MetaStealer. The infection chain involved a fake Cloudflare Turnstile lure, Windows search protocol, and an MSI package disguised as a PDF. Unlike traditional ClickFix attacks, this variant redirected users to Windows File Explorer instead of the Run dialog box. The attack cleverly grabbed the victim's hostname and ultimately aimed to drop MetaStealer, a commodity infostealer known for harvesting credentials and stealing files. This incident highlights the evolving nature of social engineering attacks and the need for updated security measures and user education.

External References

https://www.huntress.com/blog/fake-anydesk-clickfix-metastealer-malware
https://otx.alienvault.com/pulse/68b2bfe8d3d1e1257af3bb2f
Tags
social engineering
anydesk
metastealer
clickfix
cloudflare turnstile
filefix
2025-08-30
windows file explorer

Date

  • Created: Aug. 30, 2025, 9:10 a.m.
  • Published: Aug. 30, 2025, 9:10 a.m.
  • Modified: Sept. 1, 2025, 8:29 a.m.

Attack Patterns

  • MetaStealer