Fake AnyDesk Installer Spreads MetaStealer Through ClickFix Scam

A new and clever ClickFix scam is using a fake AnyDesk installer and Windows search to bypass security, installing MetaStealer malware. Learn how to protect yourself from this growing ClickFix threat.

Cybersecurity researchers at Huntress have discovered a new malware campaign using the ClickFix technique to spread malware. In this campaign, hackers are luring victims with a fake installer for the legitimate remote access tool, AnyDesk, to install malware called MetaStealer.

For your information, the classic ClickFix technique convinces users to fix a fake problem on a website by copying and pasting a malicious command into their computer’s Windows Run dialogue box.

ClickFix attack pretends to solve a problem that doesn’t exist!

In this campaign, researchers noted the use of another technique, dubbed “FileFix,” which uses the Windows File Explorer instead. This new campaign is also a twist on those scams, which is what makes it dangerous and able to bypass security measures.

The attack begins when a person, searching online for the real AnyDesk tool, lands on a fake website. The page features a fake human verification prompt that looks like Cloudflare’s CAPTCHA verification tool. The key difference here is that instead of asking the victim to copy and paste a command into their computer, the standard method for a ClickFix scam, the hackers use a new technique.

When the victim clicks the “verify” button, the website activates a hidden feature in Windows that launches the Windows File Explorer with a special search query. This action connects the victim’s computer to a remote server controlled by the hackers, delivering a dangerous file right to their screen. A small but important detail is that the hackers need to get the victim’s computer name as part of the download link, which helps them keep track of their targets.

The downloaded file is disguised as a PDF document titled Readme Anydesk.pdf. In reality, it is a malicious installer package. When opened, it performs two actions at once: it begins downloading the legitimate AnyDesk application in the background to avoid suspicion, and it silently installs MetaStealer.

For your information, MetaStealer malware is designed to steal sensitive information. After successful infiltration of a targeted device, it can harvest login credentials, steal files, and even take information from crypto wallets.

The campaign seems to be part of a wider trend of “fix” scams that blend legitimate software features with social engineering to evade traditional defences. This highlights the importance of user education to help people spot these highly deceptive scams.