Cybersecurity researchers have discovered a sophisticated evolution of the ClickFix attack technique that leverages browser cache smuggling to covertly place malicious files on target systems without traditional file downloads.
This advanced social engineering campaign specifically targets enterprise users through fake Fortinet VPN compliance pages, demonstrating how threat actors continuously adapt their methods to evade detection.
The newly identified campaign represents a significant departure from conventional ClickFix variants that typically rely on downloading malicious scripts from remote servers.
Instead, attackers have developed an ingenious method that exploits browser caching mechanisms to pre-position malicious content on victims’ machines before execution.
The attack begins with a convincing phishing lure masquerading as a Fortinet VPN Compliance Checker, capitalizing on the widespread enterprise use of Fortinet’s VPN solutions to gain initial access to corporate networks.
When users visit the malicious webpage, they encounter what appears to be a legitimate compliance verification interface. The page displays a text field containing what looks like a harmless network file path: “PublicSupportVPNForticlientCompliance.exe”.
However, clicking either the text box or the “Open File Explorer” button automatically copies a much longer, carefully crafted PowerShell command to the clipboard, with the malicious portion hidden by 139 leading spaces.
The visible portion of the command appears benign, showing only the expected file path preceded by a PowerShell comment symbol (#).
This clever obfuscation technique ensures that when users paste the content into Windows Explorer’s address bar, they only see the seemingly legitimate file path, while the actual malicious PowerShell script remains hidden above the visible area.
Cache Smuggling: The Technical Innovation
The core innovation of this attack lies in its use of cache smuggling to deliver the malicious payload. Rather than downloading files through traditional HTTP requests, the attack leverages the browser’s natural caching behavior to store arbitrary data locally.
When victims visit the phishing page, obfuscated JavaScript code automatically fetches data from a specific URI that presents itself as a JPEG image by setting the appropriate HTTP Content-Type header.
However, analysis of the supposed image file reveals it lacks proper JPEG headers and instead contains a compressed ZIP archive wrapped between unique delimiter strings “bTgQcBpv” and “mX6o0lBw”.
The browser dutifully caches this fake image, unknowingly storing the malicious payload locally without triggering security controls designed to monitor file downloads.
The hidden PowerShell script then executes a sophisticated routine that searches through the browser’s cache directory, specifically targeting Chrome’s cache files.
Using regular expressions, it locates the cached “image” data, extracts the embedded ZIP archive using the delimiter strings, and writes it to disk as “ComplianceChecker.zip”.
The script subsequently extracts and executes the contained malware, completing the infection process entirely through locally cached content.
Security Implications
This cache smuggling technique presents significant challenges for traditional security solutions. Many endpoint protection platforms monitor file downloads and PowerShell web requests to detect malicious activity, but this attack circumvents both detection vectors.
Where PowerShell restrictions aren’t feasible, enhanced monitoring of suspicious PowerShell execution combined with user education about ClickFix scams becomes critical.
Since no explicit downloads occur and the PowerShell script doesn’t make internet connections, the malicious activity may slip past conventional monitoring systems.
The attack’s sophistication extends beyond technical innovation to include careful social engineering. By impersonating Fortinet’s VPN compliance tools and presenting commands that appear to reference existing network resources, attackers reduce victim suspicion and increase the likelihood of successful execution.
The enterprise focus is particularly concerning, as successful compromise could provide attackers with valuable footholds in corporate networks.
Organizations should implement several defensive measures to counter this threat. Security teams should monitor for unusual processes accessing browser cache directories and restrict PowerShell usage to users who require it for legitimate purposes.
Additionally, secure web gateways and DNS filtering can help prevent access to malicious domains hosting these sophisticated phishing pages.
The emergence of cache smuggling in ClickFix attacks demonstrates the ongoing evolution of social engineering techniques, highlighting the need for adaptive security strategies that account for novel attack vectors exploiting fundamental browser behaviors.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
