Ddos 
Security researchers from Expel have discovered a new phishing campaign that creatively blends social engineering with browser cache manipulation to install malware — all without downloading a single file. The operation, which impersonates a Fortinet VPN Compliance Checker, demonstrates a dangerous evolution of the ClickFix technique, relying entirely on the victim’s actions and the browser’s caching behavior to deploy malicious code.
As the Expel team explains, “We observed a recent campaign innovating on the ClickFix attack formula. This campaign leveraged cache smuggling, which avoids explicitly downloading any malicious files in an attempt to reduce detection.”
The campaign began circulating in August 2025 through posts on X (formerly Twitter), where attackers promoted what appeared to be an official Fortinet VPN Compliance Checker tool. The phishing site, initially hosted at fc-checker[.]dlccdn[.]com, mimicked Fortinet branding and design elements, making it convincing enough to fool corporate users.
Expel noted, “We stumbled across this curious phishing lure on X claiming to be a Fortinet VPN Compliance Checker… this malware campaign was likely intended to gain a foothold on corporate networks.”
The webpage instructed victims to copy and paste a command into Windows File Explorer, ostensibly to open a shared network file named:
The text box on the fake website automatically copied a malicious PowerShell command — padded with 139 spaces — that was invisible to the naked eye when pasted into Explorer’s address bar.
“The threat actor has cleverly padded the text with spaces, resulting in only the expected command being visible. However, when we paste the text into a text editor the rest of the command is revealed.”
This PowerShell command launched conhost.exe in headless mode and executed a script that built and executed malware entirely from the browser’s cache.
Unlike traditional phishing payloads, the PowerShell script did not connect to any external servers or download files. Instead, it searched for pre-staged data stored locally in the browser cache — data that had been “smuggled” there earlier by the phishing page itself.
“This campaign differs from previous ClickFix variants in that the malicious script does not download any files or communicate with the internet. This is achieved by using the browser’s cache to pre-emptively store arbitrary data onto the user’s machine.”
The malicious data was disguised as a .jpg file fetched from a hidden endpoint on the same phishing domain. The file, while claiming to be an image (Content-Type: image/jpeg), actually contained a ZIP archive hidden between two unique marker strings (bTgQcBpv and mX6o0lBw).
“When we open the supposed ‘JPG’ file in a Hex Editor, it’s evident it isn’t actually a JPG at all. There is no JPG header, but we can see the text ‘bTgQcBpv’ which matches the RegEx the PowerShell script was searching for.”
When executed, the PowerShell script copied Chrome’s cache directory, scanned for the embedded ZIP archive, extracted it, and executed a malicious payload masquerading as FortiClientComplianceChecker.exe.
This technique, known as cache smuggling, exploits how web browsers cache files locally to improve performance. When a webpage instructs the browser to fetch an image or script, the browser often stores it in its cache for future use. Attackers abuse this by serving a malicious payload disguised as a legitimate cached resource, allowing it to reside undetected on the victim’s machine.
Expel explains: “This technique, known as cache smuggling, enables the malware to bypass many different types of security products. Neither the webpage nor the PowerShell script explicitly download any files. By simply letting the browser cache the fake ‘image,’ the malware is able to get an entire zip file onto the local system without the PowerShell command needing to make any web requests.”
Expel researchers warn that the implications of cache smuggling are significant: “The implications of this technique are concerning, as cache smuggling may offer a way to evade protections that would otherwise catch malicious files as they are downloaded and executed.”
Related Posts:
- Expel Uncovers Malicious PUP Ecosystem Masquerading as Free Utility Apps
- Unveiling BaoLoader: How One Malware Family Abuses Trust for 7 Years
- SMTP Smuggling: The New Frontier in Email Spoofing
- Europol Cracks Down on European Document Forgery and Smuggling Ring
- Browser Cache Smuggling 2.0: How Attackers Weaponize the Web to Deliver Stealthy Malware
Donate