Ongoing FileFix Attack Installs StealC Infostealer Via Fake Facebook Pages

Cybersecurity researchers at Acronis have spotted a phishing campaign that takes a new approach to an already familiar attack technique. The method, called FileFix, is being used to install the StealC infostealer malware through convincing Facebook Security lookalike pages.

It all starts with victims receiving a warning that their Facebook account could be suspended for policy violations. To appeal, they are directed to a phishing site that imitates an official Meta support page. Instead of a form or CAPTCHA test, the site asks them to paste a path into the address bar of a file upload window. That single step executes code on their machine, starting the infection.

Once the command executes, the attack unfolds in stages, beginning with images hosted on Bitbucket that contain hidden scripts and executables embedded through steganography. The technique allows attackers to hide code in plain sight and makes the files appear harmless until they are executed on the victim’s computer.

The final payload, as per Acronis’ blog post, is StealC, a malware strain designed to take credentials, browser data, cryptocurrency wallets, and account tokens from chat or cloud applications. Researchers say it can also bring in additional malware, giving attackers flexibility once they have access.

Compared to earlier examples of FileFix or its relative ClickFix, this campaign shows a higher level of effort. The phishing pages include multilingual support, obfuscation, and junk code to thwart analysis.

Analysis of phishing sites linked to the campaign suggests the targeting is not limited to one region. Submissions connected to these attacks have been found in the US, Germany, Bangladesh, the Philippines, and several other countries. The use of multiple languages in the phishing pages supports the idea that the campaign is designed for a broad set of victims.

Security experts emphasise that incidents like this highlight the importance of planning for breaches rather than assuming they can all be stopped. Louis Eichenbaum, Federal CTO at ColorTokens, notes that Zero Trust approaches help limit what an attacker can do if they get inside a network. “Assume the adversary will breach your network,” he said. “From there, the question becomes what happens next.”

FileFix may still be a newer technique, but the campaign spreading StealC infostealer, and researchers believe that the campaign is active and evolving. Therefore, businesses and everyday users should be cautious with emails from unknown senders and avoid clicking links or following instructions to run scripts on their devices.