Quick Take

• Threat Actor Tactic: FileFix (ClickFix variant) campaign distributing StealC info-stealer.

• Impact: Theft of credentials, authentication cookies, VPN logins, crypto-wallet data, and desktop screenshots.

• Delivery Vector: Phishing emails impersonating Meta (Facebook/Instagram), redirecting victims to fraudulent support pages that instruct them to paste malicious commands into the File Explorer address bar.

• Significance: Represents an evolution in phishing — moving beyond link-clicks and attachments to command execution via social engineering, bypassing traditional awareness filters.

The Campaign

Security researchers have identified a coordinated phishing operation masquerading as Meta “suspension” alerts. The emails warn recipients that their Facebook or Instagram account will be deactivated unless they review an alleged violation report.

Clicking the link redirects victims to a counterfeit Meta support portal. Instead of delivering a malicious attachment or drive-by download, the portal instructs users to copy a file path/command into the Windows File Explorer address bar.

This novel abuse, dubbed FileFix, is a derivative of the ClickFix technique. The seemingly harmless file-path execution conceals a PowerShell command, which silently downloads and executes the StealC info-stealer.

Payload Analysis

StealC is a modular infostealer capable of harvesting:

• Saved browser passwords and session cookies, enabling full account takeover.

• VPN credentials, exposing organisations to secondary intrusions.

• Cryptocurrency wallets and keys, allowing direct financial theft.

• Desktop screenshots and other artifacts useful for fraud and lateral movement.

Unlike commodity malware, StealC is designed to quickly monetise stolen assets while providing attackers with persistence inside both personal and corporate ecosystems.

Why This Matters

This campaign highlights two critical shifts:

1. User Interface Exploitation: By exploiting the File Explorer address bar, attackers bypass conventional user suspicion. Victims feel they are completing a routine support step rather than executing malicious code.

2. Credential-Centric Attacks: Modern infostealers like StealC don’t just compromise one account — they compromise an entire digital identity, from social media to banking, enterprise logins, and crypto wallets.

For organisations, this means a single compromised endpoint can rapidly escalate into enterprise-wide breaches.

Defensive Guidance

For Enterprises

• Phishing resilience: Flag, quarantine, and report Meta-themed “suspension” emails. Block identified domains and URLs.

• Execution controls: Restrict PowerShell usage through AppLocker or Windows Defender Application Control. Monitor for unusual process chains triggered by explorer.exe.

• Credential hygiene: Enforce hardware MFA, limit persistent sessions, and rotate shared credentials.

• Detection & response: Ensure EDR coverage includes telemetry for File Explorer address-bar execution events.

• Awareness training: Update phishing simulations to cover advanced lures (e.g., “paste this into File Explorer”), stressing that legitimate platforms never ask users to paste commands.

For Individuals

• Do not trust unsolicited “suspension” or “security review” requests — especially those instructing command execution.

• Enable two-factor authentication on all key accounts.

• Use a password manager to avoid password reuse.

• Keep OS, browsers, and security software updated.

Looking ahead

FileFix demonstrates how phishing is evolving into micro-interaction exploits, where attackers weaponise small, plausible instructions rather than obvious malware files.

Security teams should expect variants across languages and platforms, with the File Explorer trick likely being adapted into other user workflows. Future phishing campaigns may replicate this pattern at scale, targeting enterprise environments where session hijacking and VPN credential theft can yield maximum impact.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.