BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

New FileFix Social Engineering Attack Delivers StealC Malware

Fake Facebook Security Pages Used in Sophisticated StealC Malware Phishing Campaign with Steganography and AutoHotkey Variants

  • New phishing campaign uses a social engineering tactic called FileFix to distribute StealC Malware.
  • Attackers exploit fake Facebook Security pages, convincing users to run harmful commands that install malware.
  • The method hides malicious commands by mimicking regular file paths, increasing success rates.
  • Researchers observed attackers using steganography—hiding code inside images—to avoid detection.
  • Variants of this attack include AutoHotkey scripts and clipboard hijacking, expanding the range of threats.

A new cyber threat campaign uses a variant of the FileFix technique to trick users into downloading the StealC information-stealer malware. The attacks focus on distributing malicious files through phishing sites that look like Facebook Security pages, often redirecting victims after they receive warning emails about account suspension.

- Advertisement -

Acronis researcher Eliad Kimhy reported that the campaign stands out for its convincing, multi-language phishing sites. Attackers use advanced methods such as code obfuscation and steganography (concealing information inside images) to evade detection. The phishing process starts by urging users to appeal alleged Facebook policy violations, luring them into copying what appears to be a harmless file path into their computer’s File Explorer address bar.

According to Acronis, the command copied by victims is not just a file path but a hidden malicious command. This command runs a PowerShell script that downloads an image from a Bitbucket repository. The image, while seemingly innocent, contains malware components. “The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection,” Kimhy said in the full report.

Previous campaigns relied on the ClickFix technique that required users to paste commands into the Windows Run dialog. FileFix instead uses the browser’s regular file upload feature, making the process simpler and more likely to bypass administrator controls. “The adversary behind this attack demonstrated significant investment in tradecraft, carefully engineering the phishing infrastructure, payload delivery and supporting elements to maximize both evasion and impact,” Acronis reported.

The payload ultimately installs StealC, a tool that collects sensitive information from infected systems. Other observed variants include the use of AutoHotkey (AHK) scripts and clipboard hijacking. These approaches allow attackers to collect user data or install additional remote administration tools like AnyDesk and TeamViewer.

- Advertisement -

Researchers note that while Attackers’ new methods are effective at tricking users, the browser-based execution stands out in forensic investigations, potentially making it more detectable compared to older methods. There have also been cases of attackers leading victims to run Windows commands from sites pretending to be Google.

AutoHotkey, commonly used for automating Windows tasks, has been adopted by threat actors since 2019 for creating lightweight malware. These scripts can appear as harmless support tools but are designed to profile computers and install additional malicious software.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Cathie Wood Boosts Nuclear Stakes: Buys OKLO, XE Shares

Cathie Wood's ARK Investment Management bought 100,854 shares of Oklo Inc. (OKLO) and 545,453...

White House crypto pointman Patrick Witt takes leave for JAG training

White House crypto adviser Patrick Witt will take a leave of absence at the...

BSC Volume Bot Review: What Chain-Specific Quality Looks Like

A BSC tool should be judged by the quality of the testing conditions it...

Oracle Shares Tumble 6.5% as Iran Conflict Sparks Market Sell-Off

Oracle shares fell 6.5% on Monday amid a market-wide sell-off triggered by the escalation...

FLEOA endorses CLARITY Act ahead of Senate recess

The CLARITY Act secured a second endorsement from a major law enforcement group, the...

Must Read

Sushiswap vs Uniswap, What are the differences between these dex?

It's no secret that the world of decentralized exchanges has exploded in recent years. Many of you are probably wondering what the difference is...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading