FileFix: The New Attack That Uses Cache Smuggling to Evade Antivirus

Social engineering keeps evolving, and cybercriminals have found a new way to hide malware in your browser cache, bypassing even the most advanced antivirus tools. This attack, known as FileFix, was recently uncovered by researchers at Expel and is raising concern in the cybersecurity community due to its stealth and sophistication.

At TecnetOne, we break down how this attack works, why it’s dangerous, and what you can do to protect your organization.

What Is the FileFix Attack?

FileFix is a next-gen evolution of the social engineering technique ClickFix, originally developed by researcher “Mr.d0x”.

Instead of asking users to run malicious scripts directly from their operating system, FileFix leverages Windows File Explorer as the delivery method.

In short, the attacker tricks the victim into copying and pasting a seemingly harmless network path that secretly contains a hidden PowerShell command.

The latest variant, discovered by researcher Marcus Hutchins from Expel, adds a dangerous twist: cache smuggling, a method that stores malicious files in the browser cache — making the attack nearly invisible to both the user and traditional security tools.

Read more: What is the difference between an antivirus vs EDR?

Step-by-Step Breakdown of the Attack

1. The victim lands on a fake web page posing as a Fortinet VPN Compliance Checker.

2. The site shows a “network path” for the user to copy:
   
   \\Public\Support\VPN\ForticlientCompliance.exe

3. The path includes 139 hidden whitespace characters followed by a malicious PowerShell script.

4. When the user pastes the path into File Explorer and presses Enter, the hidden command is executed silently (headless).

Fortinet VPN Compliance Check FileFix lure (Source: Expel)

1. The script:

1. Creates a fake Fortinet folder:
   %LOCALAPPDATA%\FortiClient\compliance

2. Copies files from Chrome’s cache:
   %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cache\Cache_Data\

3. Searches for hidden markers (bTgQcBpv, mX6o0lBw)

4. Extracts a disguised ZIP file

5. Unzips and executes the real payload: FortiClientComplianceChecker.exe

How a copied command appears in File Explorer address bar (Source: Expel)

What Is Cache Smuggling — And Why It’s So Dangerous?

Cache smuggling is the most innovative part of this attack. It works like this:

1. When the user visits the fake website, JavaScript forces the browser to download a “JPEG” image.

2. In reality, the file is a ZIP archive containing malware, but the browser stores it as a harmless image in the cache.

3. Later, the PowerShell script accesses that cached file and executes it without any visible download or network request.

“The malware introduces a full ZIP file into the system without PowerShell ever making a web request. That’s what makes this attack undetectable.”

— Marcus Hutchins

Since nothing suspicious is downloaded explicitly, most antivirus and firewall tools won’t raise any red flags.

IUAM ClickFix Generator interface (Source: Unit 42)

The Human Factor: Social Engineering Is the Weak Link

The FileFix attack relies entirely on human interaction. Fake websites are professionally designed, imitating brands like:

1. Fortinet

2. Cloudflare

3. Microsoft Teams

4. TradingView

They use formal language and fake IT instructions to lower the user’s guard. Victims are told they need to run a verification step to remain compliant with internal security policies, tricking them into executing the malicious path.

ClickFix Generator: Automating the Scam

Researchers from Palo Alto’s Unit 42 also discovered a ClickFix Generator toolkit, allowing attackers to automate this type of attack.

It lets cybercriminals:

1. Design fake pages with custom text and branding

2. Generate OS-specific PowerShell or Bash commands

3. Detect user OS to tailor the payload

4. Add fake captchas (Cloudflare, Speedtest) to increase legitimacy

Campaigns using this toolkit have already delivered DeerStealer, Odyssey, and other info-stealers targeting both Windows and macOS.

Microsoft ClickFix lure (Source: BleepingComputer)

How to Protect Against FileFix

At TecnetOne, we emphasize proactive prevention and user awareness. Here’s what you can do:

1. Never copy/paste commands from websites.
   Legitimate tools will never ask you to manually run code via File Explorer.

2. Always verify URLs.
   Make sure the domain starts with “https://” and belongs to the real company.

3. Disable automatic PowerShell execution.
   Use Group Policies (GPO) to block unverified scripts.

4. Keep your browser and antivirus updated.
   Patches can close vulnerabilities that make cache smuggling possible.

5. Use endpoint protection (EDR/XDR).
   These tools detect behavioral anomalies — even without explicit downloads.

6. Train your teams.
   A well-informed employee is your first line of defense against phishing and social engineering.

You might also be interested in: LunaSpy: The Fake Antivirus Spying on Your Phone

Final Thoughts

The FileFix attack proves that cybercriminals no longer need to breach firewalls or exploit zero-days. All it takes is a browser, a cache, and a human who follows instructions.

With cache smuggling, we’re entering a new era of invisible threats that bypass traditional antivirus tools and rely on normal user behavior to deploy malware.

At TecnetOne, we urge all organizations to strengthen endpoint controls, monitor system behaviors, and, above all, educate users to think before they click.