A newly identified social engineering campaign, dubbed “FileFix,” is actively impersonating Meta account suspension warnings to distribute the StealC information-stealing malware. This attack represents a significant evolution of the earlier “ClickFix” technique, incorporating steganography to conceal malicious payloads and abusing the Windows File Explorer address bar for execution, bypassing traditional security warnings1. Discovered and analyzed by Acronis, multiple variants have been observed over a two-week period, indicating an evolving and persistent attack infrastructure1.
The attack begins with a phishing email containing a fake Meta account suspension warning. The message instructs the recipient to view an attached “incident report” to avoid account disablement. Clicking the link leads to a fraudulent webpage that mimics a Meta login portal. A prominent “Copy” button on this page is designed to copy a malicious PowerShell command, cleverly disguised with trailing spaces to resemble a benign file path like `C:\Users\Public\Report.pdf`, directly into the user’s clipboard1. The victim is then instructed to paste this clipboard content into the Windows File Explorer address bar and press Enter, which directly executes the hidden PowerShell code.
Technical Mechanics of the FileFix Technique
The core FileFix technique, originally publicly disclosed by researcher mr.d0x on June 23, 2025, exploits user trust in the Windows File Explorer interface2, 3. The malicious PowerShell command is constructed from three concatenated parts. The first part, `realCmd`, contains the actual PowerShell instruction, such as a command to download and execute a payload. The second part, `padding`, consists of a long string of spaces (e.g., `” “.repeat(200)`), which pushes the actual command far to the right, outside the visible area of the File Explorer address bar. The third part, `fakePath`, is a decoy file path often prefixed with a `#` symbol, which PowerShell interprets as a comment, rendering it harmless2. This entire string is silently written to the clipboard using JavaScript’s `navigator.clipboard.writeText()` function when the user clicks a fake “I’m not a robot” button on the phishing page.
Evolution and Use of Steganography
The September 2025 variant analyzed by Acronis demonstrates a further evolution. It replaces the `#` symbol for comment-based obfuscation with a variable containing spaces, a modification that may bypass security detections tuned for the original method1. The first-stage PowerShell script is designed to download a JPG image from a Bitbucket repository. This image is not merely a picture; it contains a hidden, embedded second-stage PowerShell script and encrypted executables using steganography1, 5. This technique allows threat actors to hide malicious code within a seemingly innocent file, evading network-based security scanners that might flag a direct script download.
Final Payload: The StealC Infostealer
The ultimate objective of this campaign is to deploy the StealC infostealer, a sophisticated malware designed to harvest a wide array of sensitive information from compromised systems1. The malware targets browser credentials and cookies, which can provide access to online accounts and bypass multi-factor authentication. It also seeks out credentials for popular messaging applications like Discord and Telegram, potentially compromising private communications. StealC is equipped to exfiltrate files related to cryptocurrency wallets, posing a direct financial threat. Furthermore, it targets cloud service credentials for platforms such as AWS and Azure, which could lead to significant corporate data breaches. The malware also collects data from VPN clients and gaming applications and takes screenshots of the active desktop, providing attackers with a comprehensive view of the victim’s activities and stored data.
Rapid Adoption and Broader Threat Landscape
The FileFix technique has been rapidly adopted by threat actors since its disclosure. Check Point Research reported that known actors were testing the method with benign payloads less than two weeks after it was made public3. This testing was linked to an actor with a history of using ClickFix to deliver loaders, Remote Access Trojans (RATs), and stealers via SEO poisoning and malvertising campaigns, such as fake 1Password websites. The actor employs multi-language lures, including English, Korean, Slovak, and Russian, and consistently mimics Cloudflare CAPTCHA pages. Beyond the StealC campaign, other groups like KongTuke have been observed using FileFix to deliver the Interlock RAT, confirming its use in ransomware attacks6. This rapid weaponization fits into a broader trend, with The Hacker News reporting a 517% surge in ClickFix attacks throughout 2024 and early 20255.
Defensive Recommendations and Mitigation
The effectiveness of FileFix stems from its abuse of trusted user behavior and system components. A primary reason it bypasses defenses is the absence of the Mark of the Web (MOTW) security flag; since no file is downloaded, warnings like Microsoft’s SmartScreen are not triggered4. Mitigation requires a multi-layered approach focusing on both technical controls and user awareness. Security teams should implement Endpoint Detection and Response (EDR) rules to flag and alert on instances where PowerShell execution is triggered by `explorer.exe` or a web browser process. Application control policies, such as Microsoft Defender Application Control (MDAC), can be configured to restrict the execution of unauthorized PowerShell scripts and other potentially malicious applications. From a user perspective, training is critical. Users must be educated to never paste unknown content into system dialogs, the Run dialog, or the File Explorer address bar. Organizations can also consider configuring browser settings to limit website access to the clipboard without explicit user permission, though this may impact legitimate functionality.
The FileFix campaign represents a sophisticated blend of social engineering and technical evasion. By abusing a fundamental Windows feature and hiding payloads within images, threat actors have created a method that is both highly effective and difficult to detect with conventional security tools. Its rapid adoption and evolution from a proof-of-concept to delivering major malware families like StealC and Interlock RAT underscore its potency. Defense requires vigilant monitoring for unusual process relationships, strict application control, and ongoing user education to counter this advanced form of digital deception.
References
- L. Abrams, “New FileFix attack uses steganography to drop StealC malware,” BleepingComputer, Sep. 16, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/new-filefix-attack-uses-steganography-to-drop-stealc-malware/
- T. Horner, “FileFix Attack Technique: How Threat Actors Turn File Explorer Into a Weapon,” Medium, Jul. 16, 2025. [Online]. Available: https://medium.com/@trixiahorner/filefix-attack-technique-how-threat-actors-turn-file-explorer-into-a-weapon-c70b5bfeedca
- “FileFix: The New Social Engineering Attack Building on ClickFix Tested in the Wild,” Check Point Research, Jul. 16, 2025. [Online]. Available: https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/
- “From ClickFix to FileFix: A New Frontier in Social Engineering Attacks,” Wizard Cyber, Jul. 7, 2025. [Online]. Available: https://wizardcyber.com/from-clickfix-to-filefix-a-new-frontier-in-social-engineering-attacks/
- “New FileFix Method Emerges as a Threat Following 517% Rise in…,” The Hacker News, Jun. 2025. [Online]. Available: https://thehackernews.com/2025/06/new-filefix-method-emerges-as-threat.html
- “Hackers are abusing ‘FileFix’ technique to drop RATs during ransomware attacks,” TechRadar, Jul. 15, 2025. [Online]. Available: https://www.techradar.com/pro/security/hackers-are-abusing-filefix-technique-to-drop-rats-during-ransomware-attacks
- “Framework for Malware Triggering Using Steganography,” MDPI, 2022. [Online]. Available: https://www.mdpi.com/2076-3417/12/16/8176
