TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

From a Fake AnyDesk Installer to MetaStealer

2025-08-29 · Read original ↗

ATT&CK techniques detected

9 predictions
T1204.002Malicious File
94%
"essentially a remote file share allowing clients to access files on a remote server over a network. here, victims are presented with a windows shortcut lnk file ; however, this lnk file is disguised as a pdf file called readme anydesk. pdf. figure 5 : a windows shortcut file disg…"
T1204.002Malicious File
93%
"for the attacker to nab that information from the victim. the fake pdf is then installed by msiexec ( revealing that it ’ s actually an msi package ) and the cmd. exe process is then killed. upon closer inspection of chat1 [. ] store ( reached through a curl user agent ), we can …"
T1204.004Malicious Copy and Paste
93%
"of metastealer, such as stealing from crypto wallets. clickfix variants and lessons learned clickfix, filefix, and even this alternate - clickfix attack we recently found show the power of blending social engineering with mundane processes, like captchas or other verification too…"
T1204.004Malicious Copy and Paste
91%
"known for harvesting credentials and stealing files. clickfix, filefix, and other ‘ fix ’ variants first, a quick primer on the widely used clickfix technique. the premise of clickfix is that threat actors convince users to “ fix ” a purported issue, usually with a captcha on a w…"
T1204.002Malicious File
85%
"from a fake anydesk installer to metastealer clickfix attacks have been ticking up for over a year now, as attackers find success in tricking users into executing malicious code on their computers using captcha - based lures. we ’ ve seen quite a bit of these types of attacks on …"
T1204.004Malicious Copy and Paste
49%
"dialog box as we have seen with clickfix. this is more indicative of a filefix attack — but this attack still isn ’ t strictly filefix, where victims are prodded to launch the address bar in windows file explorer ( using a ctrl + l and ctrl + v combination to paste a powershell c…"
T1204.002Malicious File
44%
"of metastealer, such as stealing from crypto wallets. clickfix variants and lessons learned clickfix, filefix, and even this alternate - clickfix attack we recently found show the power of blending social engineering with mundane processes, like captchas or other verification too…"
T1204.004Malicious Copy and Paste
40%
"support “ secure access verification ”, prompting the user to click a single button on the cloudflare turnstile to “ verify you are human. ” figure 2 : the initial link that redirects users to a fake cloudflare turnstile a quick look at the underlying html for the webpage ( using…"
T1204.002Malicious File
33%
"known for harvesting credentials and stealing files. clickfix, filefix, and other ‘ fix ’ variants first, a quick primer on the widely used clickfix technique. the premise of clickfix is that threat actors convince users to “ fix ” a purported issue, usually with a captcha on a w…"

Summary

Learn how a fake AnyDesk installer led to a unique MetaStealer attack, highlighting how threat actors evolve ClickFix techniques beyond the classic playbook to steal credentials and files.