Threat Intel

A new FileFix social engineering campaign tricks users into loading malware by pretending to help them appeal a Facebook account suspension.
The campaign is more sophisticated than typical ClickFix attacks, with the attacker demonstrating significant investment in tradecraft.
Victims are lured through a phishing email that leads to a fake ‘Meta Help Support’ message warning of account suspension.
The phishing site prompts users to open File Explorer to view a supposed PDF, but it’s actually a file upload window with a malicious payload in the file path.
The attack executes a PowerShell script that downloads an image containing a steganographic payload, which is then parsed to extract and execute hidden code.
The campaign uses a loader written in Go that performs sandbox checks, encrypts strings, and drops StealC, an infostealer capable of raiding various sensitive data.
StealC is a top-advertised infostealer on darkweb forums, known for its rapid evolution and advanced features like multi-monitor screenshots and a unified file grabber.
The campaign employs phishing lures in multiple languages and uses varying obfuscation methods to evade detection.
Indicators of compromise suggest the campaign targets users in various countries, including the United States, Germany, China, and Bangladesh, indicating opportunistic targeting.
The attack covers its tracks by running malicious executables through conhost.exe and deleting them afterward to avoid leaving traces.