FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography www.acronis.com/en/tru/po…

Early last week, researchers from Acronis' Threat Research Unit discovered a rare in-the-wild example of a FileFix attack — a new variant of the now infamous ClickFix attack vector. The discovered attack not only leverages FileFix, but, to our knowledge, is the first example of such an attack that does not strictly adhere to the design of the original proof of concept (POC) demonstrated by Mr. d0x in July, 2025. Furthermore, the attack features a sophisticated phishing site and payload, in many ways ahead of what we’ve come to expect from ClickFix or FileFix attacks seen in the past (with some notable exceptions).

This research is not only a fascinating example of how quickly a POC can be turned into an attack vector (and how important it is to stay current on this type of research), but it is also in itself a formidable example of a *Fix attack, be it ClickFix or FileFix. The adversary behind this attack demonstrated significant investment in tradecraft, carefully engineering the phishing infrastructure, payload delivery and supporting elements to maximize both evasion and impact. This represents one of the most sophisticated *Fix attack instances our team has observed to date.