CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

FileFix Attack Evolves with Cache Smuggling Technique

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new variant of the FileFix social engineering attack uses cache smuggling to evade security software. This technique involves hiding a malicious ZIP archive within a browser's cache to bypass detection. The attack impersonates a Fortinet VPN Compliance Checker and tricks users into executing a PowerShell script through the Windows File Explorer address bar. The script extracts the malicious payload from the cache and executes it. This new variant was first observed by cybersecurity researcher P4nd3m1cb0y and detailed by Marcus Hutchins of Expel. The attack has been adopted by various threat actors, including ransomware groups. Additionally, a new ClickFix kit called the IUAM ClickFix Generator has been discovered, which automates the creation of ClickFix-style lures.

Timeline

  1. 08.10.2025 22:49 1 articles · 6d ago

    New FileFix variant uses cache smuggling to evade security software

    A new variant of the FileFix social engineering attack uses cache smuggling to hide a malicious ZIP archive within a browser's cache. The attack impersonates a Fortinet VPN Compliance Checker and tricks users into executing a PowerShell script through the Windows File Explorer address bar. The script extracts the malicious payload from the cache and executes it. This technique has been adopted by various threat actors, including ransomware groups.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

TigerJack Campaign Targets Developers with Malicious VSCode Extensions

The TigerJack campaign continues to target developers with malicious Visual Studio Code (VSCode) extensions, which have now been found to leak access tokens posing a critical software supply chain risk. The campaign has distributed at least 11 malicious VSCode extensions since the beginning of the year, with two extensions, C++ Playground and HTTP Format, removed from VSCode but remaining on OpenVSX. These extensions steal cryptocurrency, plant backdoors, and exfiltrate source code. The threat actor republishes the same malicious code under new names, making detection and removal challenging. Developers are advised to be cautious when downloading extensions from these platforms. Over 100 VSCode extensions were found to leak access tokens, allowing attackers to distribute malicious updates. The leaked tokens include AI provider secrets, cloud service provider secrets, and database secrets. Microsoft has revoked the leaked PATs and is adding secret scanning capabilities to enhance security. Organizations are recommended to develop an extension inventory and consider a centralized allowlist for extensions.

Open in new tab