New FileFix Attack Uses Steganography to Slip StealC Malware into Victims’ Systems

A sophisticated cyberattack campaign abusing the FileFix technique has been identified in the wild, marking a pivotal evolution of *Fix attacks and their growing prevalence.

Acronis’ Threat Research Unit (TRU) recently uncovered what is believed to be the first fully weaponized FileFix attack, diverging from previous proof-of-concept (POC) designs and spotlighting new social engineering, evasion, and payload delivery tactics.

This incident follows a surge in ClickFix and FileFix variants, with ClickFix-related detection rates rising more than 500% over recent months.

Multilingual Phishing and Stealth Payload Delivery

Unlike earlier ClickFix and FileFix attempts, which largely mimicked public POCs, the newly observed attack demonstrates an advanced level of operational maturity.

The phishing campaign uses a realistically crafted, multilingual site often posing as a legitimate Facebook Security page to lure global victims into pasting a malicious command into the address bar of a file upload dialog.

Unlike standard ClickFix, which leverages terminal or Windows Run commands, FileFix hijacks file upload workflows, increasing its success against non-technical targets. The main infection chain starts with a heavily obfuscated PowerShell payload hidden within the faux “incident report” file path.

The payload fragments key commands using randomly named variables, applies Base64 encoding, and, in newer versions, even encrypts remote resource URLs using XOR and hexadecimal encoding.

Upon execution, it downloads a seemingly benign JPG image from a trusted third-party platform (e.g., Bitbucket).

Embedded within this image via steganography are both a second-stage PowerShell script and encrypted executables, making malicious code virtually undetectable by traditional scanners.

Steganography, Obfuscated Loaders, and StealC Infostealer

After downloading, the initial PowerShell script decodes and runs the embedded second-stage script directly from the image.

This follow-up script then extracts and decrypts one or more executable payloads using RC4 and GZIP routines, delivering them through benign system processes such as conhost.exe to avoid detection. Each payload is rapidly deleted within minutes to minimize forensic traces.

The campaign’s final stage introduces a loader written in Go, equipped with virtual machine and sandbox evasion checks, and encrypted API calls.

Once confidence is established that the target is a genuine environment, the loader deploys StealC, an advanced infostealer capable of exfiltrating browser secrets, cryptocurrency wallet keys, messaging app data, and even cloud credentials.

StealC can also load additional malware, expanding the attacker’s arsenal for future abuse. Security experts warn that the rapid adaptation and sophistication of these attacks point to a highly organized threat actor.

Organizations are urged to block child process launches of PowerShell or CMD from browsers, monitor for image downloads initiated by PowerShell, and expand user training to recognize new *Fix attack vectors before they become mainstream.

Indicators of Compromise

• 70AE293EB1C023D40A8A48D6109A1BF792E1877A72433BCC89613461CFFC7B61
• 06471E1F500612F44C828E5D3453E7846F70C2D83B24C08AC9193E791F1A8130
• 08FD6813F58DA707282915139DB973B2DBE79C11DF22AD25C99EC5C8406B234A
• 2654D6F8D6C93C7AF7B7B31A89EBF58348A349AA943332EBB39CE552DDE81FC8

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post New FileFix Attack Uses Steganography to Slip StealC Malware into Victims’ Systems appeared first on Cyber Security News.