Stealthy FileFix Virus Deployed in Real-World Scenario Employs Secret messaging to Infect Systems with StealC Malware
A new era in social engineering attacks has arrived with the emergence of a sophisticated cyberthreat campaign. This campaign, attributed to the North Korean hacker group Lazarus, represents the first global implementation of the FileFix attack methodology.
Acronis researchers have identified this campaign as a significant evolution from the original proof-of-concept developed by researcher Mr. d0x in July 2025. The campaign introduces the first real-world implementation of the FileFix attack methodology beyond proof-of-concept demonstrations.
The attack utilizes file upload functionality in HTML to trick victims into executing malicious PowerShell commands through Windows File Explorer address bars. The PowerShell payload is obfuscated extensively, with commands fragmented into variables and Base64 encoding used to evade detection.
The initial PowerShell payload downloads a steganographic image to the victim's temporary directory. These JPG files, seemingly innocent at first glance, contain malicious code concealed within artificially generated landscape images featuring pastoral scenes. The images are hosted on legitimate platforms like BitBucket.
The secondary script implemented in the attack uses RC4 decryption and gzip decompression functions to extract the malicious payload. The final payload delivers the StealC malware, a comprehensive information stealer targeting various applications and services.
The StealC malware targets browser credentials, cryptocurrency wallets, messaging applications, gaming platforms, VPN configurations, and cloud service credentials across popular applications. The attack establishes persistent access for ongoing data exfiltration operations.
The threat actors behind this campaign have developed a multilingual phishing infrastructure mimicking Facebook security pages across 16 languages. One example of this is a phishing site that mimics the look of a Meta Help Support page.
The attack demonstrates remarkable technical sophistication, incorporating multiple layers of obfuscation and anti-analysis mechanisms. The Go-based loader used in the campaign is equipped with virtual machine detection capabilities and string encryption mechanisms.
The complex multistage payload delivery system used in this attack sets new standards for evasion techniques in this category of threats. The attack uses a Go-based loader, a secondary script, and the steganographic images to deliver the final payload, the StealC malware.
This cyberthreat campaign underscores the need for vigilance and robust security measures in the digital age. Users are advised to be cautious when clicking on links, especially those from unknown sources, and to keep their systems updated with the latest security patches.
