Cybersecurity researchers have uncovered a sophisticated phishing campaign that combines two emerging attack techniques to bypass conventional security defenses.
The hybrid approach merges FileFix social engineering tactics with cache smuggling to deliver malware payloads without triggering network-based detection systems.
This evolution represents a significant shift in how threat actors are circumventing endpoint detection and response solutions by eliminating the need for malicious code to establish internet connections during execution.
The attack begins with a deceptive phishing page masquerading as a legitimate FortiClient Compliance Checker interface.
.webp "Threat Actors Merging FileFix and Cache Smuggling Attacks to Evade Security Controls 2")
Victims are socially engineered into executing malicious commands by pasting clipboard content into the Windows Explorer address bar.
The technique capitalizes on FileFix methodology, which exploits the 2048-character limit of Explorer’s address bar to deliver substantially larger payloads compared to traditional ClickFix attacks limited to 260 characters in the Windows Run dialog.
.webp "Threat Actors Merging FileFix and Cache Smuggling Attacks to Evade Security Controls 4")
Attackers further obscure their commands by padding them with spaces, ensuring only benign-looking text appears visible to users while concealing malicious PowerShell scripts in the hidden portions.
What distinguishes this campaign from conventional malware distribution methods is its innovative use of cache smuggling to pre-position payloads on victim systems.
Rather than downloading malicious files through conventional web requests that security tools typically monitor, the attack leverages browser caching mechanisms to store embedded executables disguised as legitimate image files.
MalwareTech analysts identified this technique during threat intelligence investigations at Expel Security, noting how the first-stage loader simply extracts the second-stage payload directly from the browser’s cache without generating any suspicious network traffic.
The technical implementation involves JavaScript code that uses the fetch() function to retrieve a fake JPG file, which is actually a ZIP archive containing the malicious payload.
By setting the HTTP Content-Type header to image/jpeg, attackers trick web browsers into caching executable files as if they were standard static assets.
The embedded PowerShell script then searches through the browser’s cache directory to locate the smuggled ZIP file, extracts its contents, and executes the malware without establishing any external connections that would alert network monitoring systems.
Advanced Exif Smuggling Technique
Building upon basic cache smuggling principles, security researchers have developed an even more sophisticated variation using Exif metadata concealment within legitimate image files.
This technique exploits the Exchangeable Image File Format specification, which permits up to 64 KB of metadata storage within JPG images.
By embedding malicious payloads into oversized Exif fields while maintaining valid image structure, attackers can create fully functional photographs that simultaneously carry hidden executable code undetectable to casual inspection.
The implementation leverages a quirk in how Exif parsers handle ASCII string fields. While most software interprets a null byte as the string termination character, the Exif specification includes a separate length field that defines the actual data size.
Researchers demonstrated this by crafting Image Description fields structured as benign text followed by a null byte and then the payload data wrapped in delimiter tags.
When viewed through Windows Explorer properties, only the innocuous description appears, yet the full malicious payload remains embedded within the file structure, accessible through programmatic extraction using PowerShell regular expressions matching specific byte patterns.
This Exif smuggling approach eliminates several shortcomings of earlier cache smuggling implementations.
Traditional methods that simply relabeled executables as image files generated broken image icons and risked detection by firewalls performing content-type validation.
The new technique produces perfectly valid JPG files that render normally while containing hidden payloads extractable without dedicated Exif parsers.
Testing revealed this method works across multiple attack vectors, including Microsoft Outlook email attachments, where images are preemptively cached even when preview features are disabled, potentially delivering payloads before users open messages.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
