New FileFix Attack Abuses Windows File Explorer to Execute Malicious Commands

A novel social engineering technique called “FileFix” that exploits Windows File Explorer’s address bar functionality to execute malicious commands, presenting a dangerous alternative to the increasingly popular ClickFix attack method.

The technique, discovered by security researcher mr.d0x, leverages browser file upload functionality to open Windows File Explorer and tricks users into executing PowerShell commands through the address bar rather than the traditional Windows Run Dialog.

This method circumvents many security awareness training programs that focus on recognizing Run Dialog-based attacks.

ClickFix attacks have emerged as a significant threat since early 2024, with cybersecurity firms reporting a surge in these social engineering campaigns.

The technique typically involves fake error messages or CAPTCHA prompts that instruct users to copy and paste malicious commands into the Windows Run Dialog (Windows Key + R).

According to recent threat intelligence reports, ClickFix campaigns have been observed distributing various malware families, including AsyncRAT, DarkGate, Lumma Stealer, and NetSupport RAT.

The attacks have been adopted by multiple threat actors, from individual cybercriminals to nation-state groups such as Russia-linked APT28 and Iran-linked MuddyWater.

How FileFix Exploits File Explorer

The FileFix attack method begins with a convincing phishing webpage that mimics legitimate file-sharing services. When users click an “Open File Explorer” button, JavaScript automatically copies a malicious PowerShell command to the clipboard while simultaneously triggering the browser’s file upload dialog.

The file upload functionality causes Windows File Explorer to open, at which point the attack relies on social engineering to guide users through the execution process.

The malicious webpage provides instructions for users to paste what they believe is a file path into the File Explorer address bar using Ctrl+L, but the clipboard actually contains a hidden PowerShell command, mr.d0x said.

A key aspect of the attack involves command obfuscation, where the malicious PowerShell script is concatenated with a fake file path after a comment symbol, making it appear legitimate to unsuspecting users. For example: Powershell.exe -c ping example.com # C:\company\internal-secure\filedrive\HRPolicy.docx

The attack exploits Windows File Explorer’s ability to execute commands directly from the address bar, a feature that many users are unaware of.

Security researchers have documented how File Explorer can run various system commands, including PowerShell, Command Prompt, and other utilities, when entered into the address bar.

The researchers have also identified a secondary variation that involves downloading executable files and leveraging the fact that programs executed through File Explorer’s address bar have their Mark of the Web (MOTW) attribute removed. This could potentially bypass certain security controls that rely on MOTW for threat detection.

The FileFix technique represents an evolution in social engineering attacks, moving beyond the traditional ClickFix method while maintaining similar effectiveness. The attack is particularly concerning because it operates entirely within the browser environment and relies on legitimate Windows functionality.

Cybersecurity experts recommend monitoring for suspicious child processes spawned by browsers, particularly cmd.exe and PowerShell.exe, as well as other system utilities. Organizations should also update their security awareness training to include File Explorer-based attack vectors alongside traditional Run Dialog techniques.

As phishing attacks continue to evolve with a reported 202% increase in overall phishing messages in 2024, the emergence of FileFix demonstrates how threat actors continuously adapt their techniques to bypass security measures and user awareness programs.

The simplicity and effectiveness of these browser-based attacks underscore the ongoing challenge of defending against human-targeted social engineering campaigns.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar