By John Hammond, Alden Schmidt, Lindsey Welch
During the past fifteen business days, Huntress analysts have observed increased threat activity involving several notable techniques. One case involved a malicious AnyDesk installer, which initially mimicked a standard ClickFix attack through a fake Cloudflare verification page but then utilized Windows File Explorer and an MSI package masked as a PDF to deploy MetaStealer malware.
Additionally, two incidents involving the Cephalus ransomware variant were detected.
This ransomware distinguishes itself by employing DLL sideloading through a legitimate SentinelOne executable, SentinelBrowserNativeHost.exe, to launch the payload. These recent findings highlight the ongoing evolution in threat actor tradecraft, combining established social engineering methods with more technically advanced infection chains and evasive deployment strategies.
ClickFix attacks have been ticking up for over a year now, as attackers find success in tricking users into executing malicious code on their computers using CAPTCHA-based lures. We’ve seen quite a bit of these types of attacks on our end, but we’ve also seen threat actors adopting ClickFix-esque techniques in attacks that don’t follow the exact ClickFix playbook.
Recently, our very own John Hammond received an email from someone who had come across a fake AnyDesk installer while searching for the AnyDesk remote tool.
While early indicators of the attack look like it would turn into another ClickFix scam, a little bit of digging shows a unique infection chain that involves a fake Cloudflare Turnstile lure, the Windows search protocol, and an MSI package disguised as a PDF that cleverly grabs the victim’s hostname.
The attack ultimately aims to drop MetaStealer, a commodity infostealer that’s been around since 2022 and is known for harvesting credentials and stealing files.
ClickFix, FileFix, and other ‘fix’ variants
First, a quick primer on the widely used ClickFix technique. The premise of ClickFix is that threat actors convince users to “fix” a purported issue, usually with a CAPTCHA on a webpage that they arrive on via a phishing message, or otherwise.
... continue reading