Cybercriminals have been increasingly targeting users of major social media platforms, with Meta’s accounts being a particularly common target for phishing scams. This new FileFix campaign is particularly dangerous as it exploits the urgency of account suspension notifications to trick users into running harmful PowerShell commands disguised as maintenance tasks.
The attack begins with a phishing page that mimics a message from Meta’s support team, warning that the user’s account will be disabled within seven days unless an ‘incident report’ is viewed. Instead of providing a legitimate document, the page hides a malicious PowerShell command inside the text of the message, which is disguised as a file path. This misleading command is copied, pasted into the address bar of File Explorer, and executed, initiating the malware infection process.
This method is part of a broader family of attacks known as ClickFix, where users are tricked into running commands in system dialogs. The FileFix campaign, developed by Red Team researcher mr.d0x, builds upon these techniques by leveraging the File Explorer address bar to execute the malicious commands. Attackers have further refined their tactics by hiding the malicious command within long strings of spaces, making the false file path the only visible part to the victim.
The malware deployed by this campaign, known as StealC, is a sophisticated infostealer that can collect an extensive range of personal and organizational data. It targets browsers such as Chrome, Firefox, and Opera, as well as messaging apps like Discord, Telegram, and Pidgin. Additionally, it can access cryptocurrency wallets such as Bitcoin, Ethereum, and Exodus, and it aims to compromise cloud accounts from Amazon Web Services (AWS) and Microsoft Azure. The malware can also take screenshots of the victim’s desktop, providing attackers with real-time access to sensitive activities.
Acronis has reported that the FileFix campaign has already evolved into several different versions over a short period, with changes to payloads and infrastructure. This indicates that attackers are actively testing and refining their methods to evade detection and increase the chance of success. To safeguard against such threats, users are advised to exercise caution and verify any notifications that claim their Meta accounts or other services will be disabled within days by checking through official platforms rather than following links or instructions from suspicious sources.
It is also recommended to avoid pasting any commands into system dialog boxes, File Explorer, or terminals unless the origin is known and trusted. Utilizing strong antivirus software can help detect and block malware like StealC, while using a reputable password manager can reduce the risk of credential theft by ensuring unique and complex passwords for each site. Data removal services are also suggested as a proactive measure to minimize the amount of personal information available online, which could be exploited by attackers if their systems are compromised.
With the increasing sophistication of cyber threats, it is crucial for users to stay informed and adopt robust security practices to protect their digital assets and personal information from these evolving phishing tactics. The combination of vigilance, advanced security tools, and proactive data management can significantly reduce the risk of falling victim to such scams, ensuring that users can navigate the digital world with greater confidence and safety.