A new variant of the FileFix social engineering attack is leveraging cache smuggling to secretly download malicious ZIP archives onto victim systems while bypassing security software1. This technique represents a significant evolution in a threat that security researchers have been tracking since its public disclosure in June 20254. The attack chain begins with compromised WordPress sites redirecting traffic through a Traffic Distribution System (TDS) to phishing pages that impersonate major services like Meta and Fortinet VPN3. These pages then use JavaScript to open Windows File Explorer and copy a malicious PowerShell command to the clipboard, instructing users to paste it into the address bar under false pretenses.
The core innovation in this latest campaign involves using the browser’s cache as a delivery mechanism for the final payload. Instead of downloading a suspicious file over the network, the phishing page causes the browser to cache a payload disguised as a JPEG image1, 3. The FileFix command then executes a PowerShell script that extracts and runs the malicious payload directly from the browser’s cache, leaving no network-based indicators of compromise for security tools to detect. This cache smuggling technique, combined with the trusted appearance of File Explorer, creates a potent evasion method that has been observed delivering information stealers like StealC and remote access trojans such as Interlock RAT2, 9.
Technical Breakdown of Cache Smuggling Technique
The cache smuggling method represents a sophisticated approach to payload delivery that fundamentally changes the detection landscape. According to research from Expel cited by The Hacker News3, this technique involves the phishing page loading a malicious payload that the browser automatically caches as what appears to be a JPEG image. The FileFix PowerShell command, which victims are tricked into executing from the File Explorer address bar, contains instructions to access this cached content directly from the local browser storage. Since the payload never travels across the network as a traditional file download, security solutions that monitor for suspicious downloads or analyze network traffic for malicious files are effectively bypassed.
This evasion method is particularly effective because it exploits the legitimate functionality of web browsers and their caching mechanisms. The browser treats the payload as a cached resource, similar to how it would handle any frequently accessed website element like an image or script file. When the PowerShell command executes, it reads the malicious content from the local disk rather than triggering a new network request. Security teams monitoring for anomalous outbound connections or suspicious file downloads would find no evidence of these activities in their logs, making detection significantly more challenging. The technique demonstrates how attackers are increasingly focusing on living-off-the-land approaches that abuse legitimate system functions.
FileFix Attack Chain and Steganography Integration
The FileFix attack begins when users visit compromised WordPress sites that have been injected with malicious code, typically in theme files like functions.php3. These sites redirect visitors through the Kongtuke Traffic Distribution System, which then serves the final FileFix phishing pages. The phishing pages are highly sophisticated, featuring translations in at least 16 languages and employing anti-analysis techniques to evade automated detection systems8. Once a victim lands on the page, JavaScript automatically opens a Windows File Explorer window and copies a malicious PowerShell command to the clipboard without user interaction.
Researchers have documented that advanced FileFix campaigns incorporate steganography to further conceal their activities8. In these variants, the initial FileFix command downloads a JPG file that contains hidden malicious PowerShell scripts, which researchers believe were generated by artificial intelligence. A second PowerShell script, also concealed within the same JPG file, is then executed to extract and run the final StealC payload from the image data. This multi-layer obfuscation makes static analysis difficult, as the carrier file appears to be a legitimate image while containing embedded malicious code that only reveals itself during execution.
Commercial Phishing Kits Lowering Entry Barriers
The proliferation of FileFix and its predecessor ClickFix has been accelerated by the availability of commercial phishing kits that lower the technical barrier for threat actors. Palo Alto Networks Unit 42 researchers identified the IUAM ClickFix Generator, a toolkit that enables actors with minimal technical skills to create highly customizable landing pages3. This kit can mimic browser verification challenges from content delivery networks like Cloudflare, automatically manipulate victim clipboards, detect operating systems, and tailor delivered malware such as DeerStealer or Odyssey Stealer based on predefined configurations.
Microsoft has warned about the increasing commercialization of ClickFix builders on underground forums since late 2024, with toolkits like “Impact Solutions” explicitly promising to bypass antivirus and SmartScreen protections3. These commercial offerings include features for traffic distribution, geotargeting, and automated payload generation, effectively weaponizing the FileFix technique for less sophisticated threat actors. The availability of such kits indicates that these social engineering methods are becoming commoditized, suggesting that organizations should expect to encounter them more frequently in the coming months.
Defense and Mitigation Strategies
Organizations can implement several technical controls to mitigate FileFix attacks. System hardening through Group Policy can disable both the Windows Run dialog and command execution from the File Explorer address bar using the NoRun policy9. Restricting user execution of cmd.exe and enforcing execution of only signed PowerShell scripts provides additional protection layers. Application control solutions like Microsoft Defender Application Control or AppLocker can block unauthorized scripts and enforce Constrained Language Mode for PowerShell, preventing the execution of malicious commands even if users are tricked into attempting them.
Network-level blocking of commonly abused domains such as trycloudflare.com at the firewall can disrupt the attack chain if these domains are not required for business operations9. Endpoint Detection and Response solutions should be configured to monitor for PowerShell execution triggered by explorer.exe or web browsers, as this represents an anomalous parent-child process relationship. Keeping all software patched, especially WordPress plugins and themes, reduces the initial compromise vector. Security teams should also conduct regular threat hunting exercises looking for the behavioral patterns associated with these attacks, particularly PowerShell execution originating from unusual parent processes.
The evolution of FileFix with cache smuggling demonstrates how threat actors continue to refine their techniques to evade security controls. This attack combines social engineering with technical evasion methods, creating a potent threat that bypasses both human and technological defenses. Security teams must implement layered defenses that include technical controls, user education, and robust monitoring to detect and prevent these attacks. As FileFix and similar techniques become more widespread through commercial phishing kits, organizations should anticipate encountering them more frequently and prepare their defenses accordingly.
