A rare in-the-wild FileFix campaign has been observed by cybersecurity researchers, which hides a second-stage PowerShell script and encrypted executables inside JPG images.
The attack, detailed in an advisory by Acronis, persuades victims to paste a malicious command into a file upload address bar, then runs a heavily obfuscated PowerShell chain that downloads and parses images to extract payloads.
What’s new in this instance is that the campaign departs from the original attack proof of concept (POC). ClickFix-style attacks have surged recently by over 500% and a FileFix proof of concept was published in early July by researcher Mr. d0x.
This particular deployment, however, is the first seen in the wild that does not strictly follow that POC and instead uses multilingual phishing pages, heavy JavaScript minification and steganography to conceal code.
Phishing Infrastructure and Social Engineering
According to Acronis, the phishing site mimics a Meta support page and pressures users into an appeal flow that asks them to “open File Explorer” and paste a path that is actually a payload.
The site includes translations for 16 languages and multiple variants have been active in the last two weeks, indicating rapid iteration and global targeting.
The social engineering element of FileFix may prove more persuasive than ClickFix, as most users are familiar with file upload windows, but not with terminal prompts. This subtle shift demonstrates how attackers are refining lures to align with everyday user behavior.
Read more on steganography: Threat Actors Target Victims with HijackLoader and DeerStealer
Multistage Delivery and Final Payload
The attack infection chain begins with an obfuscated PowerShell one-liner that reconstructs variables, downloads an image hosted on BitBucket and extracts a plaintext second-stage script from a defined byte range.
That script uses RC4 decryption and gzip decompression to carve multiple files from the image, execute EXEs via conhost.exe and then remove them.
The final loader, written in Go, carries out sandbox checks by comparing hardware information, then decrypts shellcode leading to the deployment of StealC.
This infostealer is capable of harvesting data from browsers, cryptocurrency wallets, messaging apps and cloud services. Researchers note that StealC can also act as a downloader, giving attackers flexibility to deliver additional malware.
Detection and Mitigation
Key recommendations from Acronis researchers center on strengthening both user training and technical defenses.
Organizations are encouraged to take a layered approach that combines awareness with proactive blocking measures, including:
-
Teach users to avoid pasting commands into system dialogs or file upload address bars
-
Block PowerShell, CMD, MSIEXEC or MSHTA processes launched from web browsers
-
Monitor for unusual browser-child process activity across endpoints
The campaign highlights how quickly FileFix has evolved from a proof of concept to an active threat.
By blending social engineering, obfuscation and steganography, attackers are making detection more difficult. Security teams must stay alert and ensure users understand these emerging *Fix attack techniques.
