A cybersecurity researcher has uncovered a new variant of the ClickFix attack, dubbed FileFix, that leverages Windows File Explorer’s address bar to trick users into executing malicious commands on their systems.
Discovered by the well-known researcher mr.d0x, FileFix builds on the principles of ClickFix — a social engineering technique where users are manipulated into copying and pasting malicious commands to “resolve” fake system issues. But FileFix takes this further by exploiting users’ trust in the familiar File Explorer interface.
Example of a fake CAPTCHA in a ClickFix attack
Source: SilentPush
From ClickFix to FileFix
Traditional ClickFix attacks rely on:
- Phishing web pages that display fake errors (e.g., broken captchas)
- Buttons that copy PowerShell commands to the clipboard
- Instructions for users to paste the command into PowerShell or the Run dialog (Win+R)
These attacks have already been used by ransomware groups and state-sponsored actors like North Korea’s Kimsuky, who combined ClickFix techniques with document lures and fake device registration portals.
FileFix refines this technique by shifting the execution environment to File Explorer. The new approach:
- Uses a phishing page posing as a file-sharing notification
- Encourages users to paste a path into File Explorer to “access” the file
- Hides malicious PowerShell commands by embedding them before a dummy file path within a PowerShell comment
- Leverages File Explorer’s ability to process and execute OS commands directly from its address bar
“The phishing page includes an ‘Open File Explorer’ button that, when clicked, launches File Explorer through the file upload functionality and copies the PowerShell command to the clipboard,” explained mr.d0x.
A proof-of-concept demo shows that users see only the fake file path while the hidden PowerShell command executes silently.