New FileFix Attack: Hiding Malware in Plain Sight

Acronis researchers have reported a fresh campaign that employs a modified FileFix technique to deliver the StealC data stealer. The attackers staged a convincing, multilingual phishing operation that forges pages for various services — for example, a counterfeit “Facebook Security” portal. On the fake page the user is shown a warning of “suspicious activity” on their account and is guided through a series of steps purportedly intended to “resolve the issue.”

FileFix differs from the previously described ClickFix method in that it does not require the victim to open the Run dialog and paste a command to pass a sham CAPTCHA. Instead, the attackers exploit the browser’s standard file-upload functionality and prompt the user to copy the “path to the document” into Explorer’s address bar.

In reality, the “Copy” button places a pre-crafted command — complete with trailing spaces — into the clipboard. When pasted into Explorer the visible content appears to be a harmless file path, while a hidden PowerShell call remains appended. An auxiliary “Open File Explorer” button opens the target window immediately, lending the sequence a natural, legitimate appearance.

The script executed by the victim first downloads an image from Bitbucket that conceals the next-stage payload, decodes it, and launches a Go-based loader. That loader unpacks shellcode and transfers control to StealC. This design allows the payload to be embedded within an image, splits the attack logic into discrete stages, and minimizes suspicious artifacts on disk.

The tactic has a practical advantage over ClickFix: it relies on universally available browser file-handling features that are difficult to restrict by policy without impairing legitimate processes. Defenders, however, can counterargue that a system command initiated by a web process is more conspicuous in telemetry than a launch via explorer.exe through the Run dialog, increasing the chance that EDR systems will detect the incident.

Concurrently, security firm Doppel described similar activity involving fake support portals, phony “Cloudflare CAPTCHA” error pages, and clipboard hijacking akin to ClickFix. Victims are coerced into executing PowerShell that retrieves and runs an AutoHotkey script. That script harvests system information and delivers additional remote-access tools such as AnyDesk and TeamViewer, along with infostealers and clipboard stealers. Variants have also been observed that invoke mshta from a domain masquerading as Google — wl.google-587262[.]com — to fetch and execute remote code.

Acronis emphasizes that the attackers invested heavily in their infrastructure and packaging — from multilingual content and plausible pretexts to segmented delivery and payload hiding within images. The result is an attack chain that appears routine at every step, until, in the background, the infostealer activates.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy