StealC FileFix phishing delivery chain
Malware Activity
Summary
Hide ▲
Show ▼
The StealC malware is being delivered through a FileFix phishing chain that can execute malicious code on Windows victims. The lure uses a convincing multilingual fake Facebook Security page and anti-analysis obfuscation to push users into copying a malicious command into File Explorer. A multi-stage PowerShell sequence then fetches payloads from Bitbucket and launches a Go-based loader that unpacks shellcode to run StealC. The result is credential-theft malware execution with increased risk of endpoint compromise and stolen access data.
Related Happenings
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
H score30
First: 09.04.2026 14:20
Last: 09.04.2026 14:20
Sources 1
About this happening:
A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware ActivityAbout this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Vidar Stealer 2.0 fake game-cheat distribution
Malware Activity
H score29
First: 18.03.2026 13:15
Last: 18.03.2026 13:15
Sources 1
About this happening:
The **Vidar Stealer 2.0** malware is being spread through **fake game-cheat repositories** and **Reddit lures**, putting players seeking cheats for major online games at risk of *...
Vidar Stealer 2.0 fake game-cheat distribution
Malware ActivityAbout this happening: The **Vidar Stealer 2.0** malware is being spread through **fake game-cheat repositories** and **Reddit lures**, putting players seeking cheats for major online games at risk of *...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
Campaign
H score34
First: 11.03.2026 16:45
Last: 11.03.2026 16:45
Sources 1
About this happening:
A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
CampaignAbout this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware Activity
H score22
First: 20.02.2026 13:55
Last: 20.02.2026 13:55
Sources 1
About this happening:
The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware ActivityAbout this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware Activity
H score28
First: 19.02.2026 10:13
Last: 19.02.2026 10:13
Sources 1
About this happening:
The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware ActivityAbout this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
Timeline
-
16.09.2025 15:33 2 articles · 9mo ago
FileFix phishing campaign delivers StealC malware
Initial DisclosureResearchers said a new FileFix phishing campaign delivers StealC through a multilingual fake Facebook Security page that uses anti-analysis techniques and obfuscation, then persuades victims to paste a malicious command into File Explorer. The command launches a multi-stage PowerShell chain that downloads image content from Bitbucket, decodes the next-stage payload, and runs a Go-based loader that unpacks shellcode to execute StealC.
Show sources
- New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site — thehackernews.com — 16.09.2025 15:33
- New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site — thehackernews.com — 16.09.2025 15:33