Cybersecurity researchers have warned of a brand new marketing campaign that is leveraging a variant of the FileFix social engineering tactic to ship the StealC data stealer malware.
“The noticed marketing campaign makes use of a extremely convincing, multilingual phishing website (e.g., faux Fb Safety web page), with anti-analysis methods and superior obfuscation to evade detection,” Acronis safety researcher Eliad Kimhy mentioned in a report shared with The Hacker Information.
At a excessive degree, the assault chain entails the usage of FileFix to entice customers into launching an preliminary payload that then proceeds to obtain seemingly innocuous photos containing the malicious elements from a Bitbucket repository. This permits the attackers to abuse the belief related to a legit supply code internet hosting platform to bypass detection.
FileFix, first documented by safety researcher mrd0x as a proof-of-concept (PoC) in June 2025, is somewhat totally different from ClickFix in that it eschews the necessity for customers to launch the Home windows Run dialog and paste an already copied obfuscated command to finish bogus CAPTCHA verification checks on phishing pages arrange for this goal.
As a substitute, it leverages an online browser’s file add characteristic to deceive customers into copying and pasting a command on the File Explorer’s deal with bar, inflicting it to be executed domestically on the sufferer’s machine.
The assault commences with a phishing website to which the sufferer is probably going redirected from an e mail message that warns recipients of potential suspension of their Fb accounts after every week, claiming the shared posts or messages violate its insurance policies. Customers are then requested to enchantment the choice by clicking on a button.
The phishing web page isn’t solely closely obfuscated, but in addition resorts to methods like junk code and fragmentation to hinder evaluation efforts.
The FileFix assault comes into play as soon as the button is clicked, at which level the sufferer is displayed a message stating they’ll entry a PDF model of the supposed coverage violation by copying and pasting a path to the doc within the File Explorer’s deal with bar.
Whereas the trail supplied within the instruction seems utterly innocent, clicking the “Copy” button really copies a malicious command that is suffixed with further areas, in order that solely the file path is displayed when pasted into File Explorer upon opening it utilizing the “Open File Explorer” button.
This command is a multi-stage PowerShell script that downloads the aforementioned picture, decodes it into the next-stage payload, and in the end runs a Go-based loader that unpacks shellcode accountable for launching StealC.
FileFix additionally affords an important benefit over ClickFix, because it abuses a extensively used browser characteristic versus opening the Run dialog (or the Terminal app in case of Apple macOS), which could possibly be blocked by a system administrator as a safety measure.
“However, one of many issues that makes ClickFix so difficult to detect within the first place is that it’s spawned from Explorer.exe through the run dialog, or immediately from a terminal, whereas with FileFix, the payload is executed by the net browser utilized by the sufferer, which is way extra more likely to stand out in an investigation or to a safety product,” Acronis mentioned.
“The adversary behind this assault demonstrated important funding in tradecraft, fastidiously engineering the phishing infrastructure, payload supply and supporting components to maximise each evasion and impression.”
The disclosure comes as Doppel detailed one other marketing campaign that has been noticed utilizing a mix of faux assist portals, Cloudflare CAPTCHA error pages, and clipboard hijacking — i.e., ClickFix — to socially engineer victims into operating malicious PowerShell code that downloads and runs an AutoHotkey (AHK) script.
The script is designed to profile the compromised host and ship extra payloads, together with AnyDesk, TeamViewer, data stealers, and clipper malware.
The cybersecurity firm mentioned it additionally noticed different variants of the exercise the place victims are guided to run an MSHTA command pointing to a lookalike Google area (“wl.google-587262[.]com”), which then retrieves and executes a distant malicious script.
“AHK is a Home windows-based scripting language initially designed for automating repetitive duties like keystrokes and mouse clicks,” Doppel safety researcher Aarsh Jawa famous.
“Whereas it is lengthy been well-liked amongst energy customers and system admins for its simplicity and suppleness, menace actors started weaponizing AHK round 2019 to create light-weight malware droppers and info-stealers. These malicious scripts typically masquerade as benign automation instruments or assist utilities.”
