‘FileFix’ attacks use fake Facebook security alerts to trick victims into running infostealers

September 16, 2025 TH Author

An attack called FileFix is masquerading as a Facebook security alert before ultimately dropping the widely used StealC infostealer and malware downloader.

FileFix is a variation on ClickFix, a newish type of social-engineering technique first spotted last year that tricks victims into running malware on their own devices using fake fixes and login prompts. These types of attacks have surged by 517 percent in the past six months, according to researchers at antivirus and internet security software vendor ESET, making them second most common attack vector behind phishing.

ClickFix typically asks the victim to perform a fake CAPTCHA test. FileFix tricks the user into copying and pasting a command into a Windows Run Dialog or File Explorer, which after victims press Enter executes the payload(s) on their own machine.

This beautiful house. These doors. It’s an evasion technique. It’s also a mark of a sophisticated attacker

Acronis’ Threat Research Unit discovered the FileFix attack in late August, and told The Register that it’s the first in-the-wild example that doesn’t strictly follow the original proof-of-concept (PoC) attack demonstrated by a researcher known as “mr.d0x” in July.

“I’ve seen samples pop up on the 13th, which is a couple of days ago,” Acronis senior researcher Eliad Kimhy told The Register, noting a burst of VirusTotal file submissions and phishing sites associated with this attack. “They keep evolving the infrastructure.”

The VirusTotal uploads come from multiple countries – the US, Bangladesh, Philippines, Tunisia, Nepal, Dominican Republic, Serbia, Peru, China, Germany, and others – as do the language translations on the phishing sites.

“It’s possible that the attackers are reporting themselves to VirusTotal,” as part of the testing process, Kimhy said. “But the Occam’s Razor is that they’re attacking victims all over the world, and they’re reporting these pages as suspicious.”

The infosec researchers over the past few weeks have also continued to see multiple variants with “very similar” payloads, indicating that whoever is behind this FileFix campaign may be accelerating the attacks.

“I don’t want to say they’re building the plane as they’re going, because they’re not,” he said. “They have a very good plane. But they keep adding new things to the plane, which is really cool to see.”

Malware delivered via pretty pictures

To pull off the attack, the miscreants constructed a fake Facebook security alert warning the victim that someone has reported their account and it will be suspended in seven days. But the victim can purportedly appeal this account suspension by clicking on a PDF file that supposedly comes from Facebook.

To view the file and appeal the suspension, the note tells the user to open File Explorer, and paste the URL for the PDF file into that window.

It’s all fake. The File Explorer is really just a file upload window, and the URL links to a malicious payload. To make it look more convincing, the attacker placed a lot of unnecessary spaces ahead of the payload so that only the file path – and not the malicious commands – appear in the address bar.

“As it finishes running, the payload will spawn an alert saying, ‘No file is found,’ and, when pressed, the continue button on the page will spawn a similar error, saying ‘Please complete the steps,'” the Acronis report explains. “Thus, the victim is stuck, with no file, and no ability to continue the appeal.”

The victim believes they are stuck in this loop, but in reality they’ve executed malware on their computer. And the first stage is an image that downloads to the victim’s Temp folder. Downloading a JPG – which is something people do on their devices every single day – makes detection more difficult because it looks like the user simply saved an image file onto their machine.

The Acronis team believes attackers use AI to generate these photographs, which depict a bucolic house, a snail on dewy morning leaves, or a series of intricate doors within doors.

“The image is my favorite part,” Acronis’s Kimhy said, clicking through the different images he has collected as part of this campaign. “This beautiful house. These doors. It’s an evasion technique. It’s also a mark of a pretty sophisticated attacker.”

In watching this campaign evolve, the threat hunters found the crims moving away from using malicious domains that they control, such as elprogresofood[.]com, and instead delivering the images from BitBucket. This helps evade detection, and also means they don’t need to register and manage malicious domains.

These idyllic photos actually contain a second-stage PowerShell script stored in plaintext and an executable payload encrypted within the image. Embedding the second stage of the exploit into the image file allows the attacker more flexibility to change the files that are dropped without changing the payload on the phishing site. Another reason may be to aid evasion, as reducing the size of the base64-encoded command might attract less attention.

From Facebook alert to StealC infostealer

The final payload includes both a loader and the infostealer. The loader is written in Go, and first it checks to make sure it’s not running in a VM – this could indicate a sandbox, and not a legit victim – before decrypting and loading shellcode into memory.

The attacks are a strong indication that anti-phishing training needs to evolve

The shellcode then unpacks StealC version 2, released in March, that can steal information from a ton of different programs.

This includes browsers such as Chrome, Firefox, Opera, Explorer, Tencent QQ, Quark, UC Browser, Sogou Explorer, and Maxthon. It also seeks out over 20 cryptocurrency wallets, and tries to steal data from messaging, VPN, and database applications such as Thunderbird, Telegram, Discord, Tox, Pidgin, Ubisoft Game Launcher, Battle.net, OpenVPN, and Proton VPN.

The malware also looks for Azure and AWS keys.

“A lot of these Fix attacks end with stealers nowadays, and I’m curious to see if this evolves, because they do keep changing the payload,” Kimhy said. “StealC also has the capability to load other malware onto a machine, so that’s something I’m keeping an eye on.”

The ClickFix, and now FileFix, attacks are a strong indication that anti-phishing training needs to evolve,” he added.

“It’s interesting that a technique like this is surging, because on its face, it’s such a basic idea,” Kimhy said. “Just tell them [the victim] to do the thing for you, and they’ll do it. Maybe it works because users aren’t really familiar with these types of attacks. So to prevent these types of phishing attacks, we need to explain to users that this could happen to them.”

Kimhy also noted the speed at which this type of attack moved from a PoC to a global campaign. “This one was theorized at the beginning of July, so about 75 days ago,” he said. “I’m sure there are going to be other variants coming soon now that people have realized how effective this is.” ®