New Major Hack Using Windows Features

New Major Hack Using Windows Features


Security researchers have uncovered a sophisticated attack technique that malicious actors are using to compromise targeted systems with dangerous Remote Access Trojans (RATs) like AsyncRAT and Remcos RAT.

The attackers are taking advantage of a legitimate Windows search feature, making it a major new potential threat for users.

Exploiting the “search-ms” URI Protocol Handler The attackers are utilizing the “search-ms” URI protocol handler, which allows applications and HTML links to perform custom local searches on a device. They are also leveraging the “search:” application protocol, a mechanism to call the desktop search application on Windows. By directing users to compromised websites containing JavaScript, they trick the system into executing malicious code.

Deceptive Emails and HTML Attachments:

The attackers are luring victims with deceptive emails containing hyperlinks or HTML attachments that redirect users to compromised websites. When the user clicks on the link, a warning message “Open Windows Explorer?” appears.

Unfortunately, upon approval, the search results are displayed as disguised PDFs or trusted icons, concealing the fact that remote files are being provided.

Illusion of Trust:

This smart technique creates an illusion of trust, as users believe the files are from their own system. Unknowingly, they execute the malicious code, leading to the installation of rogue dynamic-link libraries (DLLs) using the regsvr32.exe utility or the execution of PowerShell scripts to download additional payloads.

The Dangers of AsyncRAT and Remcos RAT:

Once infected, the victim’s system becomes vulnerable to remote control by threat actors. They can exploit this access to steal sensitive information, compromise data, or even sell access to other attackers, magnifying the risks to both individuals and organizations.

Protect Yourself from Attack:

Microsoft is continuously working to strengthen security defenses against various initial access vectors. However, users must remain vigilant and avoid clicking on suspicious URLs or downloading files from unknown sources. Malicious payloads are delivered through the “search” / “search-ms” URI protocol handler, making it crucial to exercise caution.


– Authored by contributor Anthony J. Daw

Joshua Paulo
Joshua Paulo
Joshua Paulo founded GoodHistory in 2018 on the premise that news and history blend to make well-informed politics. He has a degree in Criminal Justice, a background in public service, and is studying for a Masters degree in International Relations. With several years of experience in analysis and journalism, he now leads a team of professionals and is a proud contributor to several publications, all revolving around a common desire to bring unbiased news information to the people. Editor and writer for Atlas News.
- Sponsor -spot_img
- Sponsor -spot_img

Week's Top Stories

More In This Category

SITREP: Red Sea Attacks

Over the past hour, there have been a flurry...

U.S. Air Force Confirms One Dead, Seven Missing, Osprey Crash

As this publication reported on November 29th, 2023, a...

West Papuan Rebels Threaten to Execute NZ Pilot Again as Negotiations Continue to Stall

What You Need to Know: The West Papua National Liberation...

American Airstrikes Reportedly Targeted Iran-backed Militia Forces in Iraq

Sabereen News, which is closely affiliated to Iran-backed Shia...