top of page

Exploiting Windows Search: Unleashing Remote Access Trojans

Hackers Abusing Windows Search Feature to Install Remote Access Trojans


Unknown malicious actors are exploiting a legitimate Windows search feature to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The attack technique uses the "search-ms:" URI protocol handler and the "search:" application protocol. Attackers are directing users to websites that exploit the 'search-ms' functionality using JavaScript hosted on the page. This technique has even been extended to HTML attachments, expanding the attack surface. In such attacks, threat actors have been observed creating deceptive emails that embed hyperlinks or HTML attachments containing a URL that redirects users to compromised websites.

Clicking on the link generates a warning "Open Windows Explorer?", approving which "the search results of remotely hosted malicious shortcut files are displayed in Windows Explorer disguised as PDFs or other trusted icons, just like local search results," the researchers explained. Should a victim click on one of the shortcut files, it leads to the execution of a rogue dynamic-link library (DLL) using the regsvr32.exe utility. The infections lead to the installation of AsyncRAT and Remcos RAT, offering a pathway for threat actors to remotely control the hosts, steal sensitive information, and even sell access to other threat actors.


  • Phishing and Malware Campaigns


  • Avoid clicking on suspicious URLs or downloading HTML files from unknown sources

  • Avoid untrust worthy links practice hovering before clicking, analyze the URL, and avoid click bait

  • Enhance cybersecurity training for your team on how to spot potentially suspicious phishing campaigns

Incident Response

  • Isolate any infected systems and quarantine the system

  • Notify relevant parties according to your Incident Response Plan

  • Reach out to cybersecurity professionals to help contain the attack, analyze the risk, and devise a recovery plan.


1. The Hacker News. (2023, July 28). Hackers Abusing Windows Search Feature to Install Remote Access Trojans.


How can CyberForce|Q services help you address this risk?

Partner with CyberForce|Q to mitigate phishing and malware campaigns risk. Our cutting-edge Security Operations Center is purpose-bult to tackle the challenge of monitoring phishing attempts 24x7x265. By leveraging our services, we can help minimize the risk associated with phishing and malware campaigns with measurable results.

21 views0 comments


bottom of page