In a recent episode of Intel 471’s Happy Hunting series, threat hunt analyst Lee Archinal broke down FileFix, an evolution of the ClickFix copy-and-paste social engineering technique that dominated malware distribution through 2024 and 2025. ClickFix relied on convincing users to open the Win + R Run dialog interface and paste a malicious command. FileFix moved the execution vector into the address bar of File Explorer, a trusted native Windows file management application.
This gives the attacker two advantages: it exploits users’ trust in the familiar File Explorer interface, and it sidesteps Mark of the Web (MotW) protections—the mechanism Windows uses to tag files downloaded from the internet as untrusted. Because FileFix never delivers a downloaded file, there is no internet-origin tag for MotW to apply. Therefore controls that depend on this tag, such as SmartScreen and the “this file came from the internet” warning, never activate.
In this blogpost, we provide a walkthrough of a targeted threat hunt for FileFix activity using a hunt pack from Intel 471’s HUNTER platform. Threat hunters can use these to search for activity tied to malware and intrusion campaigns on their security and logging platforms.
The Attack Chain
This FileFix campaign, captured by a recent DFIR report, begins with KongTuke aka LandUpdate808, a web-inject threat cluster that has been associated with multiple malware families. Adversaries inject a single-line script into the HTML of a page from a compromised but legitimate website. The linked JavaScript serves a payload that presents visitors with a fake verification prompt or CAPTCHA.
This is where FileFix differs from ClickFix. Rather than directing the user to a system dialog, the malicious page uses the HTML element. When the user clicks to verify, the browser calls explorer.exe to open a standard “Select File” window. This routine behavior helps avoid raising suspicion. Simultaneously, the malicious JavaScript writes a heavily obfuscated PowerShell command to the user’s clipboard. The user is then instructed to paste a “verification code” into the File Explorer address bar. Because explorer.exe interprets strings entered in the address bar as direct operating system instructions, the command executes. MotW protections don’t activate because the payload is executed through a clipboard string in the trusted File Explorer address bar. As with ClickFix, the user has effectively run the attacker’s command themselves, albeit in a window they trusted rather than a system dialog interface.
When the adversary wants to establish C2 communication, the methods vary. No matter the payload, whether it is a DLL, executable, or script, they usually end up leveraging living-off-the-land binaries (LOLBins) to achieve this goal.
Behavioral Hunting Versus IoCs
Indicators of compromise (IoCs) have a short shelf life. The obfuscated PowerShell command differs between targets and campaigns, and payload filenames, hashes and C2 infrastructure all rotate. Searching for a specific encoded command string or a known-bad IP may produce a quick win, but the absence of those indicators also does not rule out the presence of that threat.
This is why IoC log queries and behavioral hunting work best in combination. Users of Retroactive Threat Detection on Verity471 can use IoCs embedded in intelligence reports to quickly generate IoC detection queries and run them on their security platforms to check whether the threat appeared in historical telemetry. It’s a fast way for analysts to confirm whether malicious infrastructure or hashes have ever touched your environment. Even as those IoCs change, which they will across various FileFix campaigns, you can still hunt on process lineage. This approach surfaces the underlying behavior regardless of what payload, domain or command variation the attacker used. Analysts can run IoC scans as a first pass, but treat them as one input rather than the verdict.
The Hunt Package
The package used here is “Browser Spawning Suspicious Applications — Potential Exploit or Social Engineering,” available from the free Community Edition of HUNTER. Each package ships with emulation and validation files that generate telemetry native to a customer’s environment to safely reproduce threat behaviors and validate detections; human-readable descriptions enable analysts to see what every field is doing and why.
This particular package focuses on scripting engines and other applications that are commonly abused through browser exploitation to retrieve, install or perform malicious commands. The query logic (pictured below) is built around process lineage. In a healthy environment, a web browser has no legitimate reason to spawn a scripting interpreter or command shell. The key to this hunt package finding a true positive is that it identifies the parent processes being a browser. The query is structured as a field-value pair relationship: it first defines the parent process as a browser (chrome.exe, msedge.exe, iexplore.exe and others that may be present in an environment), then defines a list of suspicious child processes to watch for. Here you can see familiar LOLBins that adversaries use in FileFix-style attacks like Windows command shell, PowerShell and even Python (cmd.exe, powershell.exe, wscript.exe and python.exe). Any pairing of those parents spawning any of those children is a reliable sign that something malicious or suspicious is happening in your environment and worth investigating.
Image: Query logic for the hunt package, “Browser Spawning Suspicious Applications — Potential Exploit or Social Engineering.”
Running the Hunt in Splunk
To put the hunt into practice, we can run it against Windows event logs collected via Sysmon and imported into Splunk. We use Sysmon as the log source because it captures the parent process, child process and command-line arguments needed to assess results.
Image: Splunk helps display fields and processes captured by Sysmon.
The data returns two instances where a browser was the parent process. The first involves Microsoft Edge launching cmd.exe; it warrants a look, but the surrounding context is relatively benign. The second looks more suspicious: Chrome, executing from the documents directory of fictitious end user “jamesmurphy,” spawned powershell.exe. The command-line arguments show that the child process is running a PowerShell encoded command, a common method used to hide malicious instructions. This query will help you identify these types of data and artifacts in your environment.
Image: Command-line argument shows a child process running a suspicious PowerShell encoded command
Now we also have command line arguments, which give us more insight into what the attacker may have been after. It reveals that the encoded command instructed the system to install staged download, a C2 beacon, perform internal reconnaissance or something else.
An expert tip: For FileFix specifically, it may be worth checking the TypedPaths registry key at HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerTypedPaths. Because the malicious command was entered via the File Explorer address bar, Windows often records it there, and finding a full PowerShell string or an HTTP URL inside that key is a strong forensic indicator of a successful FileFix execution.
Conclusion
FileFix is a reminder that attackers do not always need a new exploit to change the game. Sometimes shifting user trust from one familiar interface to another is enough. By moving execution into the File Explorer address bar, adversaries have found a vector that feels normal enough to trick many users. Since FileFix emerged in 2025, we have seen phishing pages utilizing the FileFix technique to deploy malware. We’ve also observed ClickFix and FileFix implementations being offered on cybercrime forums, bundled into phishing kits and malware builders or sold as templates.
Having the victim run the attacker’s command themselves using native trusted tools changes the game for defenders too. That’s why threat hunting around process lineage and browsers spawning suspicious child processes matter. The goal of threat hunting isn’t to just have the IoCs and find them or detect the payload. It’s about understanding the behavior so you can identify the techniques being used in your environment by different attackers with different payloads.
Register for a free HUNTER Community account to access this hunt package and others, alongside a broader library of threat hunt content built on Intel 471’s Malware Intelligence and Adversary Intelligence. HUNTER also includes the HUNT Management Module, a purpose-built tool for tracking hunt performance metrics, coordinating collaborative hunts, managing queries and reporting.
