New Cache Smuggling Phishing Attack Delivers Malware via Browser Cache

by ddos · October 10, 2025

A new wave of phishing attacks has laid bare just how sophisticated social-engineering techniques have become. Researchers have identified an evolved variant of the FileFix attack that exploits a cache-smuggling technique to clandestinely deposit a malicious ZIP archive onto a victim’s device, circumventing standard defenses. The campaign masquerades as an ostensibly official Fortinet VPN compliance checker and was first flagged by a security researcher using the handle P4nd3m1cb0y; a detailed technical analysis was later published by Expel.

FileFix is an evolution of the ClickFix method originated by Mr.d0x. Whereas ClickFix tricks users into pasting a malicious command into a system interface (for example, the Run dialog), FileFix leverages the Explorer address bar on Windows to invisibly launch PowerShell scripts. In this new incarnation the payload is triggered via a specially crafted path to a purported executable named ForticlientCompliance.exe, which the victim is instructed to copy from a website and paste into Explorer’s address field.

At first glance the pasted path appears benign — for example, \\Public\Support\VPN\ForticlientCompliance.exe — but it conceals an appended sequence of 139 spaces that hide a malicious PowerShell command. Explorer displays only the visible portion of the path, yet when Enter is pressed Windows executes the concealed command via conhost.exe in the background without any visible indicators of activity.

The script first creates the directory %LOCALAPPDATA%\FortiClient\compliance, then copies cached Chrome files from %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cache\Cache_Data\. Using regular expressions, it searches for content between the markers bTgQcBpv and mX6o0lBw, extracts an embedded ZIP archive from the forged image, saves it as ComplianceChecker.zip, and unpacks it. Finally, the malicious executable FortiClientComplianceChecker.exe is launched.

The linchpin of the scheme is cache smuggling. When the phishing page is visited, embedded JavaScript coerces the browser to fetch a file disguised as a JPEG image. The browser, detecting nothing suspicious, caches the file as benign. Because this caching occurs prior to the PowerShell step, the requisite file already resides on the victim’s system; the PowerShell script merely extracts the ZIP from the cached artifact without issuing any further network requests.

This method sidesteps most antivirus products and monitoring systems: neither the script nor the page performs direct downloads at the time of execution, and the observable behavior does not trigger usual alarms. As Hutchins noted, that stealth makes the attack particularly perilous.

Following publication of the initial findings, FileFix techniques were rapidly adopted by various threat actors, including ransomware operators. Simultaneously, Palo Alto Networks’ Unit 42 uncovered a toolkit dubbed the “IUAM ClickFix Generator,” which automates the creation of such phishing lures.

The generator furnishes attackers with a GUI for building counterfeit verification pages, enabling them to customize headings, text, color schemes, and clipboard payloads. It detects the target operating system and emits Windows PowerShell commands or base64-encoded shell payloads for macOS accordingly; on unsupported systems it may show an innocuous placeholder.

All variants employ a faux Cloudflare CAPTCHA; victims are then prompted to paste a concealed command into a system interface — whether a command prompt, terminal, or Run dialog. Unit 42 attributes distribution of malware families such as DeerStealer on Windows and Odyssey on macOS to campaigns using these techniques, alongside other undefined Windows payloads.

The spread of such toolsets and the brisk activity of cybercriminals underscore the pressing need to raise employee awareness about the dangers of copying text from web pages into system interfaces. Actions that seem innocuous at first glance can, with a single paste, culminate in total device compromise.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal