Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Malware

FileFix

FileFix is a social-engineering malware delivery technique and a named variant of ClickFix that abuses trusted Windows interfaces to trick users into manually executing attacker-supplied commands. First revealed by security researcher mr.d0x in June 2025, FileFix shifts execution from the Windows Run dialog to the Windows File Explorer address bar, making the activity stealthier and helping it avoid some standard security alerts. Like ClickFix, it commonly relies on fake verification, error, or CAPTCHA-style prompts and can use JavaScript clipboard APIs to place malicious commands for the victim to paste and run.

The technique has been used to deliver multiple malware families, including Interlock RAT and StealC v2 infostealer; broader ClickFix/FileFix activity has also been associated with delivery of infostealers, loaders, RATs, and rootkits. Reported delivery vectors for the broader technique include spearphishing, malvertising, SEO poisoning, compromised websites, and social media content. One FileFix campaign attributed to the KongTuke threat cluster distributed Interlock RAT via compromised websites and fake CAPTCHA prompts. Another FileFix campaign impersonated Facebook security alerts and used AI-generated images with embedded PowerShell scripts to deliver StealC v2. A later in-the-wild FileFix campaign was reported to use steganography.

FileFix is associated with the broader commercialization and operational adoption of ClickFix-style tradecraft by both cybercriminal and state-aligned actors. The surrounding reporting states that ClickFix/FileFix activity has targeted sectors including technology, financial services, manufacturing, retail, government, and energy, and that related ClickFix operations have been linked to groups such as APT28 and MuddyWater. High-confidence behavioral characteristics from the related technique include user-initiated execution of obfuscated commands via trusted Windows tools, frequent use of PowerShell and other LOLBins, and follow-on malware execution after the pasted command runs.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.