FileFix phishing embeds PowerShell in clipboard, uses steganographic JPGs to deliver StealC infostealer — multi-stage, stealthy credential theft. now!

Continue reading
The latest iteration of the FileFix attack technique has emerged as a fully weaponized campaign, blending social engineering with steganography to deliver the StealC infostealer.
This development represents a decisive step in the operationalization of File Explorer address bar exploitation, advancing from proof-of-concept to global deployment.
FileFix traces its roots to mid-2025, when researchers demonstrated that text pasted into the Windows File Explorer address bar could be interpreted as an executable command. This trivial behavior was quickly seized upon by criminal operators, who recognized that they could craft lures convincing enough for victims to execute malicious payloads under the guise of opening a document.
Early campaigns, grouped under terms such as ClickFix and PromptFix, were limited in sophistication, typically delivering basic droppers or commodity malware. The current wave, however, marks a dramatic escalation. It combines a mature phishing infrastructure, multiple layers of payload concealment, and the integration of steganography, allowing adversaries to bypass common detection measures.
Victims are targeted through phishing pages masquerading as Meta (Facebook) incident reports, designed to pressure users with account suspension warnings. The lure page presents a “Copy” button which silently places an obfuscated PowerShell command into the system clipboard.
At face value, the string resembles a legitimate file path. In reality, it exploits human trust: when pasted into File Explorer, the path is resolved as a PowerShell invocation. Spaces and variable padding conceal its malicious components, ensuring casual inspection reveals nothing suspicious.
Once executed, the PowerShell command initiates a download from a Bitbucket repository. Instead of a script or executable, the resource is a JPEG image. Hidden within this image is the true second stage, embedded using steganographic encoding.
The script extracts hidden data streams from the image, decrypts them with RC4, and decompresses them using gzip. By embedding the loader in an image, attackers evade both perimeter network monitoring and static malware scanning. To most defensive systems, the transaction appears to be nothing more than a benign image retrieval.
The final payload, StealC, is a modular information stealer with broad data-harvesting capabilities. It extracts browser credentials and cookies from Chrome, Firefox, Opera, and Tencent browsers; messaging data from Discord, Telegram, and Tox; cryptocurrency wallet keys; and credentials from cloud services including AWS and Azure.
Beyond credential theft, StealC performs reconnaissance, gathers system metadata, and takes on-demand screenshots.
Exfiltrated data is packaged into encrypted blobs and transmitted to attacker-controlled command-and-control (C2) servers, enabling operators to monetize stolen assets through credential marketplaces, direct account hijacking, or cryptocurrency theft.
This campaign underscores three developments in attacker tradecraft:
Defenders should focus on monitoring and detection at multiple levels:
The evolution of FileFix demonstrates how attackers rapidly industrialize novel techniques. This campaign illustrates not only the creativity of threat actors but also the necessity of expanding defensive paradigms to anticipate the weaponization of overlooked system behaviors.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.