FileFix is a new variant of an old social engineering trick known as ClickFix, now taking attacks to a whole new level. Instead of relying solely on the browser, this technique leverages none other than the address bar of Windows File Explorer to execute malicious commands.
The attack works quite simply: the user is tricked into interacting with a shortcut or folder that, without their knowledge, executes dangerous commands directly from Explorer. It's a silent and effective way to compromise a system, especially in corporate environments.
Unlike the original ClickFix, which relied on getting the victim to click a button on a webpage (copying a command to the clipboard and then asking them to paste it into PowerShell), FileFix skips that step entirely. There's no need for the person to open PowerShell anymore—just opening a folder or accessing a specific path is enough to execute the command without raising suspicion.
These attacks are often disguised as innocent things: a fake captcha, an error message asking to "fix a problem," or any other trick that seems normal. Everything is designed to make the user believe they’re fixing something, when in reality, they’re opening the door to an attacker.
Example of a Fake CAPTCHA in a ClickFix Attack (Source: SilentPush)
In traditional ClickFix attacks, the trick goes something like this: the user visits a webpage that displays a button. When clicked, it automatically copies a PowerShell command to the clipboard, and then instructs the user to paste it into the command prompt using the classic Win+R to "fix" some alleged issue. Fairly straightforward, though a bit suspicious if you're paying attention.
But FileFix takes this technique a step further and makes it much more believable. Instead of asking the victim to open the Run box or PowerShell, it tricks them into using something much more familiar: Windows File Explorer.
The attacker combines two entirely legitimate functions: file uploads from the browser and File Explorer’s ability to execute commands. This creates a very convincing scenario, where it appears the user is simply trying to open a shared file.
In this new approach, the phishing page no longer appears as an error or warning. Now, it might look like a friendly notification such as “A file has been shared with you,” and invites the user to copy and paste a path into File Explorer to access it.
Here’s the trick: the page includes a button labeled something like “Open File Explorer.” When the user clicks it, the browser opens the file upload window as if everything is normal... but in the background, it copies a PowerShell command to the clipboard.
Then, thinking everything is legitimate, the user pastes this “path” into File Explorer’s address bar, as if accessing a shared document. What they’re actually pasting is a disguised command.
To keep the trick from being obvious, the malicious command is hidden just before a fake path that looks legitimate. The trick uses PowerShell comments: the real command is placed at the beginning, followed by something like # C:\users\shared_document, so the user only sees that final part. This way, the address bar shows something harmless-looking, but Windows executes the part before the comment—the malicious code.
In a demonstration video of the attack, you can clearly see how pasting that supposed “path” into File Explorer’s address bar causes Windows to silently execute the command without the user noticing anything suspicious. Everything appears normal… until it’s already too late.
Attack Demonstration (Source: BleepingComputer)
Since the FileFix attack relies on a file upload button, it was important to ensure the user wouldn’t stray from the script—for example, by accidentally selecting a file from their computer instead of following the deception instructions.
To prevent that, the proof-of-concept code includes a few extra lines that essentially intercept and instantly block any attempt to upload a file. In other words, if someone clicks and tries to upload something, the system immediately cancels that action. Nothing gets uploaded, and everything remains under the attacker’s control.
If that happens, a simple message can be displayed, saying something like: “It looks like you didn’t follow the steps correctly. Please try again.” This way, the user thinks they made a mistake and tries again—without suspecting a thing.
Read more: Microsoft Changes the Backup System in Windows 11
FileFix didn’t come out of nowhere. It’s an evolution of ClickFix, a method that has proven highly effective in distributing malware—even in serious attacks like ransomware campaigns or state-sponsored operations.
For example, the North Korean hacker group known as Kimsuky used a ClickFix-based technique in a campaign where they sent what appeared to be a legitimate PDF. That file led targets to a page asking them to register their device. The page displayed instructions to open PowerShell as an administrator and paste a code that, of course, was malicious.
In another case observed by Microsoft, cybercriminals impersonated Booking.com. Their goal was to target hospitality sector employees, delivering info-stealer malware and remote access trojans—all through a ClickFix-style strategy.
And this hasn’t been limited to Windows. The idea has also been adapted for Linux, where the browser automatically copies a command to the clipboard and then guides the victim to execute it using a terminal. The mechanism is nearly identical, only the environment changes.
What makes FileFix so concerning is its simplicity and effectiveness. Instead of relying on system windows that not all users are familiar with (like PowerShell or the console), it now leans on something everyone uses daily: File Explorer. This makes the attack feel much more natural, far easier to execute—and harder to detect.
This kind of evolution shows how attackers are always on the lookout for new ways to trick people. In fact, similar techniques have been seen in the past to be quickly adopted by cybercriminals once published. It’s not far-fetched to think FileFix will soon follow the same path.