Threat actors on underground forums are now promoting a new “ClickFix” payload-delivery technique that hides malware in the browser cache to evade endpoint detection and response (EDR) tools.
The seller pitches the method as an evolution of existing ClickFix/FileFix social‑engineering chains, claiming it can execute malicious code via Windows File Explorer without generating obvious network indicators.
The bundle includes setup instructions, a ready‑to‑use builder, a Fortinet‑themed lure template, and full source code, offered for around 300 USD.
For an additional 200 USD, the operator promises to customize or fully rewrite templates to match a buyer’s traffic, such as Cloudflare‑style captchas or VPN compliance themes.
The seller highlights that the technique does not use the traditional Win+R ClickFix command chain, instead relying on File Explorer address‑bar execution to make the attack appear as a benign file path operation.
In a recent dark‑web advertisement, a threat actor is selling a “New ClickFix/FileFix” package that delivers payloads from the browser cache instead of downloading them over the network.
This aligns with documented FileFix evolutions where users paste what looks like a folder path, but actually trigger a hidden PowerShell command that runs headless via conhost.exe.
By packaging this as a builder with templates, the actor is effectively offering “ClickFix‑as‑a‑Service,” lowering less technical buyers to run social‑engineering campaigns.
How the browser cache payload works
The advertised method builds on cache smuggling technique where the browser is tricked into caching a malicious file that masquerades as an image or other harmless asset.
When a victim visits the phishing page, JavaScript forces the browser to fetch a fake JPEG that actually contains an embedded archive or binary, which is then automatically stored in Chrome’s cache path (for example, under Cache_Data in the user profile).
Later, the victim follows instructions to paste a command into the File Explorer address bar, which launches a PowerShell script rather than simply opening a directory.
This script copies cache files to a working folder, searches for unique markers around the hidden payload, extracts the embedded ZIP or executable, and runs it locally, all without issuing fresh HTTP requests at execution time.
Because the malicious content arrives as part of a seemingly legitimate image request and is subsequently loaded from disk, many EDR and network‑based detections that look for suspicious download cradles or outbound PowerShell traffic may never trigger.
Security impact
This “ClickFix via cache smuggling” combination reinforces how social‑engineering techniques can abuse legitimate browser and Windows features to bypass traditional defenses.
Organizations already face widespread ClickFix‑style campaigns that rely on victims copying commands into the Run dialog or terminals, and defenders have begun building detections around those behaviors.
The move to File Explorer plus browser cache intentionally sidesteps those rules by avoiding visible download cradles and reusing local cache files as an implicit delivery channel.
Defenders should monitor for unusual use of File Explorer’s address bar to launch PowerShell, headless conhost.exe instances, mass access to browser cache directories, and subsequent archive extraction and process creation events in user space.
Security teams are also advised to harden browser settings where possible, deploy user awareness training around “copy‑paste fixes” and fake VPN/compliance pages, and tune EDR/SIEM detections for cache‑smuggling patterns that chain browser activity with suspicious local execution.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
