{"id":59357,"date":"2025-09-16T12:02:26","date_gmt":"2025-09-16T12:02:26","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/"},"modified":"2025-09-16T12:02:26","modified_gmt":"2025-09-16T12:02:26","slug":"filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/","title":{"rendered":"&#8216;FileFix&#8217; attacks use fake Facebook security alerts to trick victims into running infostealers"},"content":{"rendered":"<p>An attack called FileFix is masquerading as a Facebook security alert before ultimately dropping the widely used StealC infostealer and malware downloader.<\/p>\n<p>FileFix is a <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/09\/05\/clickfix_castlerat_malware\/\">variation on ClickFix<\/a>, a newish type of social-engineering technique first <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\">spotted last year<\/a> that tricks victims into running malware on their own devices using fake fixes and login prompts. These types of attacks have <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.eset.com\/us\/business\/threat-report\/?srsltid=AfmBOoqkmw5aHEfwp8cVsr3UCbF8i67peacbVHCxKddUkPyg9NYNykvK\">surged by 517 percent<\/a> in the past six months, according to researchers at antivirus and internet security software vendor ESET, making them second most common attack vector behind phishing.<\/p>\n<p>ClickFix typically asks the victim to perform a <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/08\/22\/clickfix_report\/\">fake CAPTCHA test<\/a>. FileFix tricks the user into copying and pasting a command into a Windows Run Dialog or File Explorer, which after victims press Enter executes the payload(s) on their own machine.<\/p>\n<blockquote class=\"pullquote\" readability=\"6\">\n<p>This beautiful house. These doors. It&#8217;s an evasion technique. It&#8217;s also a mark of a sophisticated attacker<\/p>\n<\/blockquote>\n<p>Acronis&#8217; Threat Research Unit discovered the <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.acronis.com\/en\/tru\/posts\/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography\/\">FileFix attack<\/a> in late August, and told <em>The Register<\/em> that it&#8217;s the first in-the-wild example that doesn&#8217;t strictly follow the <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/mrd0x.com\/filefix-clickfix-alternative\/\">original proof-of-concept (PoC) attack<\/a> demonstrated by a researcher known as \u201cmr.d0x\u201d in July.<\/p>\n<p>&#8220;I&#8217;ve seen samples pop up on the 13th, which is a couple of days ago,&#8221; Acronis senior researcher Eliad Kimhy told <em>The Register<\/em>, noting a burst of VirusTotal file submissions and phishing sites associated with this attack. &#8220;They keep evolving the infrastructure.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The VirusTotal uploads come from multiple countries \u2013 the US, Bangladesh, Philippines, Tunisia, Nepal, Dominican Republic, Serbia, Peru, China, Germany, and others \u2013 as do the language translations on the phishing sites.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>&#8220;It&#8217;s possible that the attackers are reporting themselves to VirusTotal,&#8221; as part of the testing process, Kimhy said. &#8220;But the Occam&#8217;s Razor is that they&#8217;re attacking victims all over the world, and they&#8217;re reporting these pages as suspicious.&#8221;<\/p>\n<p>The infosec researchers over the past few weeks have also continued to see multiple variants with &#8220;very similar&#8221; payloads, indicating that whoever is behind this FileFix campaign may be accelerating the attacks.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;I don&#8217;t want to say they&#8217;re building the plane as they&#8217;re going, because they&#8217;re not,&#8221; he said. &#8220;They have a very good plane. But they keep adding new things to the plane, which is really cool to see.&#8221;<\/p>\n<h3 class=\"crosshead\">Malware delivered via pretty pictures<\/h3>\n<p>To pull off the attack, the miscreants constructed a fake Facebook security alert warning the victim that someone has reported their account and it will be suspended in seven days. But the victim can purportedly appeal this account suspension by clicking on a PDF file that supposedly comes from Facebook.<\/p>\n<p>To view the file and appeal the suspension, the note tells the user to open File Explorer, and paste the URL for the PDF file into that window.<\/p>\n<p>It\u2019s all fake. The File Explorer is really just a file upload window, and the URL links to a malicious payload. To make it look more convincing, the attacker placed a lot of unnecessary spaces ahead of the payload so that only the file path \u2013 and not the malicious commands \u2013 appear in the address bar.<\/p>\n<p>&#8220;As it finishes running, the payload will spawn an alert saying, &#8216;No file is found,&#8217; and, when pressed, the continue button on the page will spawn a similar error, saying &#8216;Please complete the steps,'&#8221; the Acronis report explains. &#8220;Thus, the victim is stuck, with no file, and no ability to continue the appeal.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The victim believes they are stuck in this loop, but in reality they&#8217;ve executed malware on their computer. And the first stage is an image that downloads to the victim&#8217;s Temp folder. Downloading a JPG \u2013 which is something people do on their devices every single day \u2013 makes detection more difficult because it looks like the user simply saved an image file onto their machine.<\/p>\n<p>The Acronis team believes attackers use AI to generate these photographs, which depict a bucolic house, a snail on dewy morning leaves, or a series of intricate doors within doors.<\/p>\n<p>&#8220;The image is my favorite part,&#8221; Acronis\u2019s Kimhy said, clicking through the different images he has collected as part of this campaign. &#8220;This beautiful house. These doors. It&#8217;s an evasion technique. It&#8217;s also a mark of a pretty sophisticated attacker.&#8221;<\/p>\n<p>In watching this campaign evolve, the threat hunters found the crims moving away from using malicious domains that they control, such as elprogresofood[.]com, and instead delivering the images from BitBucket. This helps evade detection, and also means they don&#8217;t need to register and manage malicious domains.<\/p>\n<p>These idyllic photos actually contain a second-stage PowerShell script stored in plaintext and an executable payload encrypted within the image. Embedding the second stage of the exploit into the image file allows the attacker more flexibility to change the files that are dropped without changing the payload on the phishing site. Another reason may be to aid evasion, as reducing the size of the base64-encoded command might attract less attention.<\/p>\n<h3 class=\"crosshead\">From Facebook alert to StealC infostealer<\/h3>\n<p>The final payload includes both a loader and the <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/07\/07\/phishing_platforms_infostealers_blamed_for\/\">infostealer<\/a>. The loader is written in Go, and first it checks to make sure it&#8217;s not running in a VM \u2013 this could indicate a sandbox, and not a legit victim \u2013 before decrypting and loading shellcode into memory.<\/p>\n<blockquote class=\"pullquote\" readability=\"5\">\n<p>The attacks are a strong indication that anti-phishing training needs to evolve<\/p>\n<\/blockquote>\n<p>The shellcode then unpacks StealC version 2, <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.picussecurity.com\/resource\/blog\/stealc-v2-malware-enhances-stealth-and-expands-data-theft-features\">released in March<\/a>, that can steal information from a ton of different programs.<\/p>\n<p>This includes browsers such as Chrome, Firefox, Opera, Explorer, Tencent QQ, Quark, UC Browser, Sogou Explorer, and Maxthon. It also seeks out over 20 cryptocurrency wallets, and tries to steal data from messaging, VPN, and database applications such as Thunderbird, Telegram, Discord, Tox, Pidgin, Ubisoft Game Launcher, Battle.net, OpenVPN, and Proton VPN.<\/p>\n<p>The malware also looks for Azure and AWS keys.<\/p>\n<p>&#8220;A lot of these Fix attacks end with stealers nowadays, and I&#8217;m curious to see if this evolves, because they do keep changing the payload,&#8221; Kimhy said. &#8220;StealC also has the capability to load other malware onto a machine, so that&#8217;s something I&#8217;m keeping an eye on.&#8221;<\/p>\n<p>The ClickFix, and now FileFix, attacks are a strong indication that anti-phishing training needs to evolve,&#8221; he added.<\/p>\n<p>&#8220;It&#8217;s interesting that a technique like this is surging, because on its face, it&#8217;s such a basic idea,&#8221; Kimhy said. &#8220;Just tell them [the victim] to do the thing for you, and they&#8217;ll do it. Maybe it works because users aren&#8217;t really familiar with these types of attacks. So to prevent these types of phishing attacks, we need to explain to users that this could happen to them.&#8221;<\/p>\n<p>Kimhy also noted the speed at which this type of attack moved from a PoC to a global campaign. &#8220;This one was theorized at the beginning of July, so about 75 days ago,&#8221; he said. &#8220;I&#8217;m sure there are going to be other variants coming soon now that people have realized how effective this is.&#8221; \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2025\/09\/16\/filefix_attacks_facebook_security_alert\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tech evolved from PoC to global campaign in under two months An attack called FileFix is masquerading as a Facebook security alert before ultimately dropping the widely used StealC infostealer and malware downloader.\u2026  READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-59357","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>&#039;FileFix&#039; attacks use fake Facebook security alerts to trick victims into running infostealers 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"&#039;FileFix&#039; attacks use fake Facebook security alerts to trick victims into running infostealers 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-16T12:02:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"&#8216;FileFix&#8217; attacks use fake Facebook security alerts to trick victims into running infostealers\",\"datePublished\":\"2025-09-16T12:02:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/\"},\"wordCount\":1186,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/\",\"name\":\"'FileFix' attacks use fake Facebook security alerts to trick victims into running infostealers 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2025-09-16T12:02:26+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"&#8216;FileFix&#8217; attacks use fake Facebook security alerts to trick victims into running infostealers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"'FileFix' attacks use fake Facebook security alerts to trick victims into running infostealers 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/","og_locale":"en_US","og_type":"article","og_title":"'FileFix' attacks use fake Facebook security alerts to trick victims into running infostealers 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-09-16T12:02:26+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"&#8216;FileFix&#8217; attacks use fake Facebook security alerts to trick victims into running infostealers","datePublished":"2025-09-16T12:02:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/"},"wordCount":1186,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/","url":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/","name":"'FileFix' attacks use fake Facebook security alerts to trick victims into running infostealers 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2025-09-16T12:02:26+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aMliYiCWud0njCiCDMgBMQAAAkE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/filefix-attacks-use-fake-facebook-security-alerts-to-trick-victims-into-running-infostealers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"&#8216;FileFix&#8217; attacks use fake Facebook security alerts to trick victims into running infostealers"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59357","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=59357"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59357\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=59357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=59357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=59357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}