- New phishing campaign uses a social engineering tactic called FileFix to distribute StealC Malware.
- Attackers exploit fake Facebook Security pages, convincing users to run harmful commands that install malware.
- The method hides malicious commands by mimicking regular file paths, increasing success rates.
- Researchers observed attackers using steganography—hiding code inside images—to avoid detection.
- Variants of this attack include AutoHotkey scripts and clipboard hijacking, expanding the range of threats.
A new cyber threat campaign uses a variant of the FileFix technique to trick users into downloading the StealC information-stealer malware. The attacks focus on distributing malicious files through phishing sites that look like Facebook Security pages, often redirecting victims after they receive warning emails about account suspension.
Acronis researcher Eliad Kimhy reported that the campaign stands out for its convincing, multi-language phishing sites. Attackers use advanced methods such as code obfuscation and steganography (concealing information inside images) to evade detection. The phishing process starts by urging users to appeal alleged Facebook policy violations, luring them into copying what appears to be a harmless file path into their computer’s File Explorer address bar.
According to Acronis, the command copied by victims is not just a file path but a hidden malicious command. This command runs a PowerShell script that downloads an image from a Bitbucket repository. The image, while seemingly innocent, contains malware components. “The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection,” Kimhy said in the full report.
Previous campaigns relied on the ClickFix technique that required users to paste commands into the Windows Run dialog. FileFix instead uses the browser’s regular file upload feature, making the process simpler and more likely to bypass administrator controls. “The adversary behind this attack demonstrated significant investment in tradecraft, carefully engineering the phishing infrastructure, payload delivery and supporting elements to maximize both evasion and impact,” Acronis reported.
The payload ultimately installs StealC, a tool that collects sensitive information from infected systems. Other observed variants include the use of AutoHotkey (AHK) scripts and clipboard hijacking. These approaches allow attackers to collect user data or install additional remote administration tools like AnyDesk and TeamViewer.
Researchers note that while Attackers’ new methods are effective at tricking users, the browser-based execution stands out in forensic investigations, potentially making it more detectable compared to older methods. There have also been cases of attackers leading victims to run Windows commands from sites pretending to be Google.
AutoHotkey, commonly used for automating Windows tasks, has been adopted by threat actors since 2019 for creating lightweight malware. These scripts can appear as harmless support tools but are designed to profile computers and install additional malicious software.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Polygon to Boost Block Gas Limit, Aiming for 33% Faster Payments
- Bitcoin Rally Stalls in 2025 as Treasury Firms Face Price Crash
- ORQO Group Launches With $370M, Plans RLUSD Yield Platform
- Apple Issues Urgent Security Updates After Spyware Attacks Exploited
- Pantera CEO Predicts Bitcoin to Hit $750K by 2028, $1M by 2030
