A user opens their email to find what looks to be a legitimate—and urgent—message purporting to be from Meta Support. The email claims that the user’s account has been reported and is scheduled to be suspended or permanently disabled. When the user clicks through the button to appeal the decision, they are taken not to an official site, but to a convincing multilingual phishing page.
This is a fairly common example of phishing, but the next step in the execution of this attack is a surprising development. Under the impression that they are taking steps to open a PDF file to appeal their suspension, the target is asked to copy and paste a file path into a file upload window disguised as File Explorer, enabling the execution of a multistage PowerShell script using BitBucket and obfuscated code. This attack, using steganography and exploiting a trusted host, is more dangerous than it first appears and could cause extensive damage.
What is FileFix
FileFix is a type of AllFix attack, along with ClickFix, PromptFix, and other varieties. FileFix uses the browser file upload and File Explorer address bar, and it relies on deceiving the victim into carrying out the attacker’s goals for them. The target is tricked into copying and pasting the malicious code to run it on their device, usually under the guise of a legitimate process.
This is a slight variation from ClickFix attacks, in which attackers convince users to unknowingly execute payloads via Run Dialog. This slight pivot in user experience makes FileFix attacks subtler and more successful, as targets are deceived into thinking that their actions are simply to open a file or folder.
Anatomy of the Observed Campaign
The campaign, as it has been observed, consists of several steps to create a sophisticated attack. It begins with the phishing email claiming to be from Facebook, then asks users to click through to the spoofed Facebook Security page. The page utilizes obfuscated JavaScript and prompts the user to copy and paste the malicious payload into File Explorer, with the belief that they are opening a PDF as a necessary part of the appeal process. The initial code is executed, which goes on to download images from BitBucket containing obfuscated malware. The steganographic content is then decoded in order to deploy StealC malware.
Steganography and Bitbucket: A Stealthy Rendezvous
The steganographic attack using images to deliver malware relies on certain trends in user trust. Images are attractive carriers for malicious code due to the low suspicion of downloading images and their common presence in online repositories. Even users who are reasonably educated in avoiding cyberthreats like phishing do not often think of downloaded images as a potential source of malicious code.
Hosting the images on BitBucket adds another layer to this. Using a trusted host reduces scanning and flagging, making BitBucket and similar developer platforms an appealing vector for attacks like this. The images contain an additional PowerShell script, which is used to decode the hidden malware payload.
Technical Evasions and Anti-Analysis Tactics
This attack campaign relies on a variety of evasive techniques and technologies to reduce suspicion and increase success. The malicious code is obfuscated with junk code, and the original PowerShell command fragments in order to avoid detection. This prevents many malware prevention technologies from identifying the malicious aspects of the process.
The phishing page being available in many languages enables a broader reach for these attacks, targeting speakers of 16 languages. The steps in the attack also contain anti-analysis checks, including delays and environmental checks. Static scanning and many sandbox heuristics fail here due to the levels of obfuscation hiding the malicious components from these measures.
The Human Factor: UX as the Vulnerability
While attackers and defense experts alike are constantly attempting to advance their technologies, many threat actors are also increasingly falling back on tried-and-true methods like social engineering. This tactic of deceiving users to achieve nefarious goals is re-emerging as the most reliable component in many sophisticated attacks, as it relies on exploiting human psychology rather than evading threat detection solutions. The specific choice to deceive the target into copying and pasting into the File Explorer leverages user trust and muscle memory, using routine actions for malicious ends.
Impact and Risk Profile of StealC
StealC is an infostealer malware that primarily targets tokens, cloud credentials, and session cookies. It has been advertised on hacking forums and is known to rely on other stealers, including Vidar, Raccoon, Mars, and Redline. The potential consequences of this malware being deployed on a target device are diverse. A successful StealC deployment could lead to cloud account takeover, code repository compromise, CI/CD credential theft, and supply chain escalation, enabling further attacks with far-reaching impacts.
Detection Challenges and Indicators of Compromise (IOCs)
While this attack uses a range of tactics to attempt to evade detection, there are still practical ways to identify this kind of malicious activity. Indicators of compromise include unusual process spawn from Explorer, network calls to Bitbucket image endpoints followed by suspicious local file creation, unusual decoding activity, and the presence of TruffleHog-like scanning behavior. Monitoring certain log sources can also provide insight to detect an attack like this, such as endpoint process trees, DNS/netflow, EDR telemetry of explorer.exe child processes, and Bitbucket access patterns.
Mitigations and Defensive Posture
Organizations can take steps to protect against these attacks. Short-term mitigations include blocking and monitoring unexpected File Explorer address bar executions, enforcing the principle of least privilege for developer tokens, implementing EDR rules for explorer children, and scanning developer platform downloads for steganographic payloads.
In the medium term, it is also suggested to utilize phishing-resistant multifactor authentication, implement user training that teaches about FileFix and similar attacks, and restrict paste and execute patterns via endpoint policy. For strategic measures against such threats, it is vital to vet and monitor third-party repository usage, implement telemetry for developer platform downloads, and rotate and scope tokens.
Why This Matters for Defenders and Developers
It is crucial for defenders and software developers to take lessons away from the discovery of this attack campaign. Trusted developed infrastructure can be weaponized, and security teams must treat developer platform downloads as raw input. Implementing a cross-functional response is essential, bringing together the efforts of security experts, developer platform teams, and communications.
“Cyberattacks are becoming more sophisticated every day, and it’s no longer realistic to believe we can prevent every breach,” says Louis Eichenbaum, Federal CTO at ColorTokens. “Our adversaries are innovating faster than we can respond, and despite all the end-user training we provide, it only takes one careless click for an attacker to gain a foothold inside a network.” This attack campaign highlights the growing need for security experts and software developers to invest time and resources into zero-trust architecture and principles.
Looking Forward
The future is likely to see a continuation of the current arms race between defenders and attackers. Small tweaks in user experience produce outsized risk, and the defender surface must move beyond signature detection to behavior and trust modeling in order to keep up with sophisticated attack tactics. The next wave of such attacks will combine even subtler UX tricks with legitimate services, and it is absolutely vital for organizations to prepare against these attacks now.
