Unmasking FileFix: Steganography & Multistage Payloads Exposed

A sophisticated cyberattack campaign leveraging steganography and multistage payload delivery has been identified in active use, marking a significant evolution from earlier proof-of-concept models. This operation, known as FileFix, embeds malicious PowerShell scripts and encrypted executables within seemingly harmless JPG image files, demonstrating a dangerous shift toward more covert infection methods.

Security analysts have documented that the attack begins with a carefully crafted phishing site designed to imitate a Meta support portal. Visitors are guided through a fraudulent appeal process that instructs them to paste a specific command into their file upload dialog, a command that secretly triggers a heavily obscured PowerShell sequence. This script proceeds to download a manipulated image from a cloud hosting service and extracts a secondary payload from a predetermined section of the file.

What distinguishes this campaign is its deviation from the original FileFix proof of concept shared publicly in early July. Instead of replicating known methods, threat actors have incorporated multilingual phishing pages, aggressive JavaScript minification, and advanced steganographic techniques to hide malicious code. Recent data indicates a dramatic surge, over 500%, in ClickFix-style attacks, underscoring the rapid adoption and adaptation of these strategies by cybercriminals.

The social engineering aspect is particularly effective because it exploits familiar user behaviors. Many people regularly interact with file upload windows but are less accustomed to command-line interfaces, making this approach both convincing and difficult to suspect. Phishing sites supporting 16 different languages further reveal the attackers’ broad targeting and iterative development process.

Once initiated, the infection chain employs multiple layers of obfuscation and decryption. An initial PowerShell command reassembles variables, retrieves a steganographic image, and pulls a plaintext script from a specific byte range. This second-stage script uses RC4 decryption and gzip decompression to reconstruct executable files hidden within the image. These files are then executed using conhost.exe and promptly deleted to reduce forensic evidence.

The final payload is a loader written in Go, which performs anti-analysis checks by verifying hardware details before decrypting shellcode that ultimately deploys the StealC infostealer. This malware specializes in harvesting sensitive information from web browsers, cryptocurrency applications, messaging platforms, and cloud storage services. Notably, StealC can also function as a downloader, providing attackers with the flexibility to introduce additional malicious tools onto compromised systems.

To defend against such threats, experts recommend a layered security approach that includes both technical controls and user education. Key mitigation steps include instructing users never to paste unfamiliar commands into system dialogues, blocking scripting engines like PowerShell or CMD when launched from browsers, and monitoring for unusual process activity originating from web applications.

This campaign illustrates how rapidly emerging attack techniques can evolve from theoretical concepts into real-world dangers. By combining social manipulation, code obfuscation, and steganography, attackers continue to refine their methods, making detection increasingly challenging. Maintaining vigilance and ensuring ongoing user awareness remain critical in countering these sophisticated threats.

(Source: InfoSecurity)