A rare in-the-wild example of an active FileFix campaign has been discovered that delivers a loader that executes the StealC infostealer, targeting browsers, cryptocurrency wallets, messaging apps, and cloud credentials.In a Sept. 16 blog post by the Acronis Threat Research Unit, the researchers said it was the first example of a FileFix attack that does not strictly adhere to the design of the original proof-of-concept (POC).The Acronis researchers said FileFix was first theorized and developed into a POC in the early summer by researcher Mr. d0x.These so-called “fix” attacks are the collective name given to a group of attack techniques popping up over the past few months, which includes ClickFix, FileFix, and PromptFix.In a “fix” attack, the attacker aims to trick the victim into doing the attacker’s dirty work: the victim gets asked to copy and paste the attacker’s payload into their own terminal and then run it of their own volition.“It’s the cybersecurity equivalent of a pickpocket politely asking their target if they could simply hand over their wallet, house, and car keys, instead of going to all the effort to try to pick their pocket,” wrote the Acronis researchers.Damon Small, a board member at Xcape Inc., explained that FileFix builds on the ClickFix attack, which leverages the ChatGPT Agent to execute malicious code hidden behind a well-crafted prompt. The malicious command gets executed through the phishing email itself when the victim clicks on the “copy” button. “While the information being copied appears to be harmless, further commands exist, but they are hidden from view,” said Small. “Once executed, the malware will launch PowerShell scripts that harvest credentials and other information from the affected user.”Small pointed out that StealC has been used in the development of several variants of malware in 2025. Primarily via phishing emails, StealC malware uses fake CAPTCHA verification prompts and PowerShell scripts to bypass legitimate checks and steal information from the user. Jason Soroko, senior fellow at Sectigo, said this campaign matters because it modernizes human-in-the-loop tradecraft and takes advantage of user trust in familiar workflows and brands. Soroko said this includes real-looking Facebook Security pages and reputable code hosting. By hiding payloads inside images fetched from Bitbucket and triggering local execution through File Explorer, it slips past filters that expect obvious downloads or Run dialog abuse and it causes a condition for session cookie theft that can bypass MFA. “Organizations should update awareness content to flag any site that instructs users to paste strings into the File Explorer address bar and any upload flow that deviates from normal choose file behavior,” said Soroko.Here’s what Soroko said security teams should focus on:
- Harden endpoints with application control for script interpreters and common living-off-the-land tools.
- Block or alert when browsers or explorer spawns cmd or PowerShell.
- Restrict outbound access to developer platforms on non-developer machines.
- Watch for image downloads followed by process creation or archive writes.





