{
  "name": "FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography",
  "slug": "filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography",
  "description": "A sophisticated FileFix attack campaign has been discovered, marking the first use of this technique beyond proof-of-concept. The attack employs a complex phishing infrastructure, including a multilingual site mimicking Facebook security. It uses steganography to conceal malicious code in images, with a multistage payload delivery system featuring layered obfuscation and evasion techniques. The final payload deploys a StealC infostealer targeting various applications and credentials. The campaign has evolved rapidly over two weeks, indicating a global targeting strategy with potential victims in multiple countries. This attack represents a significant advancement in *Fix attack sophistication, combining FileFix with advanced tradecraft to maximize both evasion and impact.",
  "published": "2025-09-16T12:29:35+00:00",
  "created_at": "2025-09-16T12:29:35+00:00",
  "modified_at": "2025-09-16T12:42:05+00:00",
  "created_at_opencti": "2025-09-16T12:29:35+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-09-16",
    "filefix",
    "infostealer",
    "multistage payload",
    "obfuscation",
    "phishing",
    "social engineering",
    "stealc",
    "steganography"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "77.90.153.225"
      },
      {
        "id": "",
        "name": "facebook.windows-software-updates.com"
      },
      {
        "id": "",
        "name": "facebook.windows-software-updates.cc"
      },
      {
        "id": "",
        "name": "facebook.windows-software-downloads.com"
      },
      {
        "id": "",
        "name": "facebook.meta-software-worldwide.com"
      },
      {
        "id": "",
        "name": "thanjainatural.com"
      },
      {
        "id": "",
        "name": "mastercompu.com"
      },
      {
        "id": "",
        "name": "elprogresofood.com"
      },
      {
        "id": "",
        "name": "fd30a2c90384bdb266971a81f97d80a2c42b4cec5762854224e1bc5c006d007a"
      },
      {
        "id": "",
        "name": "b3ce10cc997cd60a48a01677a152e21d4aa36ab5b2fd3718c04edef62662cea1"
      },
      {
        "id": "",
        "name": "70ae293eb1c023d40a8a48d6109a1bf792e1877a72433bcc89613461cffc7b61"
      },
      {
        "id": "",
        "name": "7022f91f0534d980a4d77df20bea1ae53ee02f7c490efbfae605961f5170a580"
      },
      {
        "id": "",
        "name": "2654d6f8d6c93c7af7b7b31a89ebf58348a349aa943332ebb39ce552dde81fc8"
      },
      {
        "id": "",
        "name": "1d9543f7c0039f6f44c714fe8d8fd0a3f6d52fcae2a70b4bc442f38e01e14072"
      },
      {
        "id": "",
        "name": "1801da172fae83cee2cc7c02f63e52d71f892d78e547a13718f146d5365f047c"
      },
      {
        "id": "",
        "name": "08fd6813f58da707282915139db973b2dbe79c11df22ad25c99ec5c8406b234a"
      },
      {
        "id": "",
        "name": "06471e1f500612f44c828e5d3453e7846f70c2d83b24c08ac9193e791f1a8130"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:bd5e900cb57b2f39",
        "name": "StealC",
        "slug": "stealc"
      }
    ],
    "attack_patterns": [
      {
        "id": "2ccc4626-0e86-4148-a5a8-2aa270e22dbd",
        "name": "T1588.001"
      },
      {
        "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c",
        "name": "T1583.001"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6",
        "name": "T1087"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Tunisia"
      },
      {
        "id": "",
        "name": "Dominican Republic"
      },
      {
        "id": "",
        "name": "Serbia"
      },
      {
        "id": "",
        "name": "Nepal"
      },
      {
        "id": "",
        "name": "Bangladesh"
      },
      {
        "id": "",
        "name": "China"
      },
      {
        "id": "",
        "name": "Peru"
      },
      {
        "id": "",
        "name": "Germany"
      },
      {
        "id": "",
        "name": "Philippines"
      },
      {
        "id": "",
        "name": "United States of America"
      }
    ]
  },
  "external_refs": [
    "https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/",
    "https://otx.alienvault.com/pulse/68c9744f0aaab46e25efb97d"
  ]
}