Copy-Paste = Hacked. An Automatic Phishing Generator is Now in Your Browser
Your cache files have become a malware delivery channel.
Your cache files have become a malware delivery channel.
A new wave of phishing attacks has demonstrated how sophisticated social engineering methods can be. Researchers have identified an advanced variant of a FileFix attack that uses a cache smuggling technique to stealthily download a malicious ZIP archive onto a victim's device, bypassing protection mechanisms. The attack masquerades as a supposedly official compliance check tool for Fortinet VPN and was first spotted by a security researcher under the alias P4nd3m1cb0y. A more detailed technical analysis was published by the company Expel.
FileFix is an evolution of the ClickFix method developed by Mr.d0x. While ClickFix convinces a user to paste a malicious command into a system interface (e.g., the Run dialog), FileFix targets the address bar in Windows File Explorer, which allows it to run PowerShell scripts without the user noticing. In this new FileFix variant, the malicious code is activated using a specially crafted path to an "executable file," ForticlientCompliance.exe, which the user is supposedly meant to copy from a website and paste into the File Explorer address bar.
At first glance, the copied path looks harmless and points to a network resource like \\Public\Support\VPN\ForticlientCompliance.exe. However, the string is actually padded with 139 spaces, which hide a malicious PowerShell command. When pasted into File Explorer, only the first part of the path is displayed, but after pressing Enter, Windows executes the hidden command via conhost.exe in the background, with no visual signs of activity.
This script first creates a directory %LOCALAPPDATA%\FortiClient\compliance, and then copies cached files from Chrome located at %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cache\Cache_Data\. Then, using regular expressions, the script searches for content between the markers "bTgQcBpv" and "mX6o0lBw," extracting an embedded ZIP archive from a fake image file. This archive is saved as ComplianceChecker.zip and unpacked. Subsequently, the malicious executable FortiClientComplianceChecker.exe is launched.
The key element of this scheme is the use of cache smuggling. When the phishing page is visited, the malicious website uses JavaScript to force the browser to download a file disguised as a JPEG image. The browser, detecting no anomalies, caches this file, believing it to be safe. Since this stage occurs before the PowerShell script is executed, the required file is already in the system, and the script simply extracts the ZIP archive from it without making any network requests.
This approach allows it to bypass most antivirus programs and monitoring systems, as neither the script nor the page directly downloads anything, and the behavior does not raise suspicions among defense mechanisms. According to Hutchins, this makes the attack particularly dangerous.
After information about the vulnerability was published, FileFix techniques were quickly adopted by various groups, including ransomware operators. In parallel, specialists from Palo Alto Networks Unit 42 discovered a toolset called "IUAM ClickFix Generator," which automates the creation of such phishing lures.
This generator provides attackers with an interface to construct fake verification pages, allowing them to change titles, text, color schemes, and clipboard content. The tool supports operating system detection and, depending on the OS, generates PowerShell commands for Windows or base64-encoded shell commands for macOS. If an attempt is made to run it on other systems, a harmless placeholder may be displayed.
In all examples, a fake Cloudflare CAPTCHA is used, after which the user is prompted to paste the hidden command into a system interface—be it the command line, terminal, or Run dialog. According to Unit 42, such campaigns have distributed the DeerStealer malware for Windows, Odyssey for macOS, as well as an unidentified malicious file for Windows.
A lure page with CAPTCHA (BleepingComputer)
The proliferation of such tools and the high activity of cybercriminals underscore the need to increase employee awareness of the risks associated with copying text from web pages into system interfaces. Even seemingly harmless actions can lead to a complete compromise of the device.
