A recent cyberattack campaign is using social engineering to pose as fake alerts from Meta (Facebook and Instagram), tricking users into executing malicious commands. The goal: to silently install the StealC malware, designed to steal passwords, cookies, and sensitive information.
This method is part of the ClickFix family, but with a twist. Instead of asking users to paste commands into the Windows terminal, FileFix uses the File Explorer address bar—a part of the system many consider safe—making the deception more effective.
The technique was created by researcher mr.d0x as a proof of concept but has already been used in real attacks by groups like Interlock, who previously exploited it to distribute remote access trojans. What's new is that attackers have now enhanced the strategy with more convincing and sophisticated lures, such as fake account closure warnings.
New FileFix Campaign
The new phishing campaign, detected by researchers at Acronis, is taking social engineering tactics to the next level. This time, attackers pose as Meta (Facebook and Instagram) support staff, falsely warning users that their accounts will be deactivated in seven days unless they review a supposed “incident report.”
Here’s the catch: that “report” isn’t a real document—it’s a disguised PowerShell command that, when executed, installs malware on the victim’s device.
The phishing page is designed to look legitimate and is available in multiple languages, increasing its global reach. On the page, users are guided to:
-
Click a “Copy” button, which supposedly copies a file path.
-
Then, they’re instructed to open File Explorer.
-
Finally, they’re told to paste the “path” into the address bar to access the document.
But in reality, what the “Copy” button places in the clipboard is a modified PowerShell command, crafted to look like a harmless path thanks to a clever trick: the command includes a variable padded with many spaces before the fake path, so only the final part—the supposed file path—appears when pasted into File Explorer.
FileFix Attack Masquerading as Meta Support (Source: Acronis)
This type of technique allows the malicious command to go unnoticed by both the user and some security tools. According to Acronis, unlike previous ClickFix attacks that used the # symbol to hide commands (since PowerShell interprets it as a comment), this new variant uses a custom variable with spaces, which helps it evade detection by tools that rely on common pattern recognition.
Read more: Maranhão Stealer: The Node.js Credential Thief Hiding in Pirated Games
FileFix Campaign Goes a Step Further: Now Hiding Malware in Images
What makes this new FileFix variant particularly dangerous is its creative use of steganography—a technique that hides malicious code within seemingly harmless files, such as a simple JPG image.
In this campaign, attackers conceal both a second-stage PowerShell script and several encrypted executables inside a JPG image hosted on Bitbucket, a legitimate code storage platform.
It all begins when the user unknowingly runs a PowerShell command (copied from a phishing page, as previously explained). This command downloads the disguised image from Bitbucket, extracts the hidden script, and executes it directly in system memory to decrypt and load the rest of the malware—without leaving any visible files on the disk.
It’s a clever and stealthy technique designed to evade traditional antivirus tools and remain completely undetected. In short: the malware hides in plain sight.
Second PowerShell Script Embedded in the Image
The final payload of this FileFix campaign is the StealC malware—an infostealer designed to harvest all kinds of sensitive data from the infected device. And when we say all, we’re not exaggerating. StealC targets:
-
Cookies and saved credentials from browsers like Chrome, Firefox, Opera, and even Tencent.
-
Data from messaging apps such as Discord, Telegram, Tox, and Pidgin.
-
Cryptocurrency wallets including Bitcoin, Ethereum, and Exodus.
-
Cloud service credentials, including AWS and Azure.
-
VPN accounts and gaming platforms like ProtonVPN, Battle.net, and Ubisoft.
It can even take screenshots of the active desktop to spy on what the user is doing at that exact moment.
Read more: CVE-2025-10585: New Zero-Day Vulnerability in Chrome V8
A Campaign That Keeps Evolving
According to the Acronis report, this campaign has been active for at least two weeks, and during that time it has continuously evolved. Researchers have detected multiple versions of the attack, featuring different payloads, new domains, and increasingly convincing lures.
“Throughout our investigation, we discovered several iterations of the attack,” Acronis explains.
“We can see how both the social engineering tactics and the technical aspects of the attack have evolved.”
This may indicate that the attacker is testing their infrastructure for future campaigns or simply adapting and improving the attack in real time.
What Can Companies Do?
While many organizations already educate their employees about the risks of traditional phishing, techniques like ClickFix and FileFix are relatively new and still evolving.
That’s why at TecnetOne, we recommend that companies begin training their users on these emerging threats. In particular, it’s crucial to warn against the dangers of copying commands from websites and pasting them into system windows like File Explorer or the terminal. Even if they appear to be legitimate solutions, they can serve as the entry point for malware like StealC.
