A new variant of the FileFix social engineering attack uses cache smuggling to place a malicious ZIP archive into a victim’s browser cache and execute it via a hidden PowerShell command, allowing it to bypass many security products, researchers said. The lure, which impersonates a Fortinet VPN “Compliance Checker,” was first posted on X by P4nd3m1cb0y and is described in a report by Expel.
According to the Expel report, FileFix builds on earlier ClickFix-style attacks by using the Windows File Explorer address bar to execute PowerShell commands with minimal visible prompts, which helps the activity remain stealthy and less likely to alert users.
The campaign’s webpage displays a dialog that directs users to paste what appears to be a legitimate network path to a Fortinet program; however, the clipboard contents include 139 spaces padding a hidden PowerShell command. When the user pastes the text into File Explorer the path appears normal, but pressing Enter causes Windows to run the concealed PowerShell through conhost.exe in headless mode. The script creates a local compliance folder, copies Chrome cache files from the user’s profile, scans cached files for specific markers (“bTgQcBpv” and “mX6o0lBw”), extracts the embedded ZIP from the cached data as ComplianceChecker.zip and launches an executable from the extracted archive, Expel’s Marcus Hutchins wrote.
Expel and Hutchins said the attack relies on a browser-side trick known as cache smuggling: JavaScript on the phishing page requests a resource that the server labels as an “image/jpeg,” so the browser caches it as an image even though it contains a ZIP. Because the fake file is already stored in the browser cache before the PowerShell runs, the script can extract the payload without making any web requests and without triggering defenses that look for explicit downloads or outbound requests. Similar browser cache smuggling techniques have been documented previously by SensePost, the report noted.
Researchers said threat actors have rapidly adopted FileFix techniques. Palo Alto Networks Unit 42 reported finding an “IUAM ClickFix Generator” kit that automates creation of ClickFix-style lures, lets operators customize page content and clipboard payloads, and tailors commands by operating system. Unit 42 observed the kit used in campaigns that delivered DeerStealer and Odyssey infostealers, the company said in its analysis.
The article advises organisations to train employees not to copy and paste commands from websites into operating system dialogs and notes that the report did not disclose the full scope of affected victims or the size of related campaigns.