Ongoing FileFix Attack Installs StealC Infostealer Via Fake Facebook Pages

Cybersecurity researchers at Acronis have spotted a phishing campaign that takes a new approach to an already familiar attack technique. The method, called FileFix, is being used to install the StealC infostealer malware through convincing Facebook Security lookalike pages.

It all starts with victims receiving a warning that their Facebook account could be suspended for policy violations. To appeal, they are directed to a phishing site that imitates an official Meta support page. Instead of a form or CAPTCHA test, the site asks them to paste a path into the address bar of a file upload window. That single step executes code on their machine, starting the infection.

Once the command executes, the attack unfolds in stages, beginning with images hosted on Bitbucket that contain hidden scripts and executables embedded through steganography. The technique allows attackers to hide code in plain sight and makes the files appear harmless until they ...