New Major Hack Using Windows Features

New Major Hack Using Windows Features


Security researchers have uncovered a sophisticated attack technique that malicious actors are using to compromise targeted systems with dangerous Remote Access Trojans (RATs) like AsyncRAT and Remcos RAT.

The attackers are taking advantage of a legitimate Windows search feature, making it a major new potential threat for users.

Exploiting the “search-ms” URI Protocol Handler The attackers are utilizing the “search-ms” URI protocol handler, which allows applications and HTML links to perform custom local searches on a device. They are also leveraging the “search:” application protocol, a mechanism to call the desktop search application on Windows. By directing users to compromised websites containing JavaScript, they trick the system into executing malicious code.

Deceptive Emails and HTML Attachments:

The attackers are luring victims with deceptive emails containing hyperlinks or HTML attachments that redirect users to compromised websites. When the user clicks on the link, a warning message “Open Windows Explorer?” appears.

Unfortunately, upon approval, the search results are displayed as disguised PDFs or trusted icons, concealing the fact that remote files are being provided.

Illusion of Trust:

This smart technique creates an illusion of trust, as users believe the files are from their own system. Unknowingly, they execute the malicious code, leading to the installation of rogue dynamic-link libraries (DLLs) using the regsvr32.exe utility or the execution of PowerShell scripts to download additional payloads.

The Dangers of AsyncRAT and Remcos RAT:

Once infected, the victim’s system becomes vulnerable to remote control by threat actors. They can exploit this access to steal sensitive information, compromise data, or even sell access to other attackers, magnifying the risks to both individuals and organizations.

Protect Yourself from Attack:

Microsoft is continuously working to strengthen security defenses against various initial access vectors. However, users must remain vigilant and avoid clicking on suspicious URLs or downloading files from unknown sources. Malicious payloads are delivered through the “search” / “search-ms” URI protocol handler, making it crucial to exercise caution.


– Authored by contributor Anthony J. Daw

Joshua Paulo
Joshua Paulo
Combining a Criminal Justice and International Relations background, Josh boasts years of experience in various forms of analysis and freelance journalism. He currently spearheads a team of professionals committed to delivering unbiased reporting to provide the public and private sector with accurate and insightful information. Josh serves as Atlas's Director of News.
- Sponsor -spot_img
- Sponsor -spot_img

Week's Top Stories

More In This Category

ICJ Rejects Provisional Measures in Ecuador v Mexico Case

The International Court of Justice (ICJ) ruled on Thursday...

FARC Launches Large Scale Attack in Cauca

A splinter group of the Revolutionary Armed Forces of...

U.S. Air Force Releases High-Altitude Images of B-21 Raider in Flight Testing

The U.S. Air Force has released the first high-altitude...

Kenya’s Haiti Deployment Delayed After Having Already Started

As the first large deployment of Kenyan police officers...