CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

FileFix Attack Using Steganography to Deploy StealC Infostealer

First reported
Last updated
πŸ“° 3 unique sources, 4 articles

Summary

Hide β–²

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Timeline

  1. 16.09.2025 15:00 πŸ“° 4 articles Β· ⏱ 1d ago

    FileFix Attack Using Steganography to Deploy StealC Infostealer

    The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is considered more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. This allows the attack to target a broader range of high-value targets. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The infection chain uses a Windows shortcut LNK file disguised as a PDF to initiate the download of a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).

Open in new tab

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 700 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

Open in new tab

Lies-in-the-Loop Attack Exploits AI Coding Agents

A new attack vector, dubbed 'lies-in-the-loop' (LITL), targets AI coding agents by manipulating them to execute dangerous commands. The attack exploits the trust between human users and AI agents, convincing users to approve harmful actions. Researchers from Checkmarx Zero demonstrated the attack on Anthropic's Claude Code, showing how it can be used to execute arbitrary commands and potentially compromise the software supply chain. The LITL attack leverages prompt injection to trick AI agents into providing fake, seemingly safe contexts. This manipulation can lead users to unknowingly approve harmful actions, highlighting the risks associated with AI-assisted coding tools. The attack was successfully tested on developers, demonstrating its effectiveness in real-world scenarios.

Open in new tab

SEO Poisoning Campaign Targets Chinese Users with HiddenGh0st, Winos, and kkRAT

A sophisticated SEO poisoning campaign targets Chinese-speaking users with malware, including HiddenGh0st, Winos, and kkRAT. The attackers manipulate search rankings to distribute trojanized installers for popular software, leading to the deployment of remote access trojans (RATs). The malware employs various techniques to evade detection and achieve persistence, including anti-analysis checks, DLL side-loading, and TypeLib COM hijacking. The campaign aims to establish command-and-control communication, monitor user activity, and steal sensitive information. The attackers use fake software sites and GitHub Pages to distribute malware. The malware is designed to disable antivirus software and achieve persistence through scheduled tasks and registry modifications. The campaign has been active since at least May 2025 and involves multiple malware families, including kkRAT, which shares code similarities with Gh0st RAT and Big Bad Wolf.

Open in new tab

VoidProxy phishing service targets Microsoft 365 and Google accounts

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party SSO providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real-time. The attack begins with emails from compromised accounts at email service providers, directing recipients to phishing sites through multiple redirections. The malicious sites are hosted on disposable domains protected by Cloudflare. VoidProxy's AitM tactics allow it to intercept and relay traffic between the victim and legitimate services, capturing sensitive information. Users with phishing-resistant authentications like Okta FastPass are protected from these attacks. The platform was discovered by Okta Threat Intelligence researchers, who describe it as scalable, evasive, and sophisticated.

Open in new tab