Hackers Exploit Windows Search

Malware authors persistently seek novel approaches to exploit unsuspecting users in the active cyber threat landscape.

To easily locate all the available files, folders, and other items on your Windows system, Microsoft Windows OS offers an outstanding powerful tool known as the Windows search feature.

Unexplored by many, the “search-ms” URI protocol handler in Windows allows potent local and remote searches, but security researchers at Trellix warn of potential exploitation.

Infection Chain

Cybersecurity researchers at Trellix Advanced Research Center revealed that this new attack technique exploits the “search-ms” URI protocol with JavaScript on websites and HTML attachments.

This expands the attack surface and not only that even also explores the “search” protocol as well.

Threat actors exploit the “search-ms” protocol to deceive users with emails, compromised websites, and disguised remote files to make them execute malicious code unknowingly.

Infection Chain (Source – Trellix)

Besides this, security analysts detected several phishing emails using the “search-ms” protocol to deliver a malicious payload, masked as urgent sales quotation requests.

Phishing emails (Source – Trellix)

Various attack variants involve emails with HTML/PDF attachments containing URLs to compromised websites using the ‘search-ms’ URI protocol handler, while embedded scripts in HTML files can also trigger the attack.

Once the link in the email or attachment is clicked, users get redirected to a website exploiting the “search-ms” URI protocol handler, revealing a suspicious script in the GET request for page.html:-

HTML with ‘search-ms’ URI Protocol Handler (Source – Trellix)

Experts uncover numerous PowerShell file variants in this investigation, comprising:-

  • The “over.ps1” file downloads an ISO file.
  • PowerShell scripts directly download the DLL payload and execute it.
  • PowerShell scripts that trigger the download of a zip file containing an EXE payload.
  • PowerShell scripts that download and execute DLL files.
  • PowerShell scripts that download and execute VBS files.

The campaign deploys remote access trojans (RATs) like Async RAT and Remcos RAT to gain unauthorized control over infected systems, facilitating:-

  • Data theft
  • User monitoring
  • Command execution

The Remcos RAT employs null byte injection in its EXE payload to evade security products. The attacker employs a proactive approach, continuously updating files to avoid security product detection, and bypassing static signatures and known IoCs.

Multiple HTML used as an initial attack vector (Source – Trellix)

Security analysts found attacker-controlled file servers, some lacking authentication, posing a significant security risk by enabling easy access for further exploitation.


Here Below we have mentioned all the recommendations:-

  • Make sure to exercise caution and be vigilant about untrusted links.
  • It is crucial not to click on suspicious URLs or download files from unknown sources to avoid potential risks.
  • Beware of the exploitation of the “search” / “search-ms” URI protocol handler to deliver malicious payloads to systems.
  • Make sure to avoid engaging with potentially harmful links and files.
  • Always keep your system and AV tools updated with the available latest security patches and updates. 
  • Make sure to use a robust AV solution.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitterand Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.