FileFix Social Engineering Attack

Researchers have uncovered a recent phishing campaign that uses a variant of the FileFix social-engineering technique to deliver the StealC information-stealer. The campaign relies on a polished, multilingual fake site (examples observed include a counterfeit 'Facebook Security' page), heavy obfuscation and anti-analysis tricks, and an unusual payload delivery chain that abuses legitimate services to evade detection.

How Victims Are Lured

The attack typically begins with an email telling recipients their Facebook account is at risk of suspension for alleged policy violations and urging them to appeal. Clicking the appeal link redirects the user to a convincing phishing page. That page promises a PDF of the supposed violation and instructs the user to copy-and-paste a path into File Explorer to access it, but the friendly instruction is a ruse.

The FileFix Trick

FileFix differs from similar techniques in how it gets code executed locally. Instead of asking victims to open the Run dialog and paste a command, FileFix misuses the browser's file-upload / copy functionality so victims paste a string into the File Explorer address bar. The visible text looks like an innocuous file path, but the clipboard actually contains a malicious multi-stage PowerShell command with trailing spaces so only the harmless path appears when pasted. When the victim opens File Explorer and pastes, the hidden command executes locally.

Attack Chain

The user is redirected from a phishing email to a heavily obfuscated multilingual fake site.

• Clicking the site's button triggers the FileFix flow, and the clipboard is populated with a hidden PowerShell command.
• The PowerShell script downloads seemingly benign images from a Bitbucket repository.
• The images are decoded into the next-stage payload.
• A Go-based loader is executed, unpacks shellcode, and finally launches the StealC info-stealer.

Abusing Trusted Hosting Services

The operators host encoded payloads inside images on a Bitbucket repository. Using a reputable source-code hosting platform helps the attackers hide traffic in otherwise legitimate requests and reduces the chance of automated blocking based on destination reputation.

Obfuscation And Anti-analysis Techniques

The phishing pages and scripts are not simple: the operators used advanced obfuscation, fragmentation and junk code to frustrate human analysts and automated scanners. The infrastructure is multilingual and polished, increasing the chance of tricking non-English speakers and making the site appear authentic.

FileFix vs ClickFix

FileFix abuses a browser file-upload / copy flow so victims paste into File Explorer's address bar rather than launching the Run dialog.

ClickFix requires pasting into the Run dialog (or Terminal on macOS) and is spawned from Explorer.exe or a terminal session.

Practical impact: FileFix can bypass defenses that block use of the Run dialog, because it leverages a widely used browser feature instead.

Detection nuance: because FileFix involves the victim's browser triggering the execution chain, the activity may be more visible to endpoint monitoring or incident investigation than the Run-dialog spawns used by ClickFix — but it still defeats many end-user protections through deception.

Threat Actor’s Evolving Techniques

This campaign shows a deliberate, well-resourced approach: carefully engineered phishing infrastructure, multi-stage payload design, and use of trusted third-party hosting to maximize both stealth and operational reach. The adversary's tradecraft indicates they planned to avoid generic detection and to achieve reliable execution across diverse targets.