A new FileFix phishing attack is targeting social media users with a fake Meta account disabled phishing message to install the StealC infostealer malware and steal credentials and personal data.
The campaign begins with a convincing phishing page designed to look like a notification from Meta’s support team. The page warns that the user’s account will be disabled in seven days unless they view a linked “incident report.“
FileFix Phishing Attack Leverages File Explorer
Attackers instruct victims to copy a malicious PowerShell command disguised as a simple file path. Users are then tricked into pasting this command into the Windows File Explorer address bar, which initiates the infection.
This File Explorer PowerShell attack works by hiding the malicious code behind long strings of spaces. Once executed, a hidden script downloads a file from Bitbucket that appears to be a JPG image but contains embedded code to deploy malware.
Malware Deployed for Widespread Data Theft
The campaign ultimately delivers an infostealer known as StealC, which is designed for extensive social media credential theft and data collection. The malware collects browser credentials, authentication cookies, and data from messaging apps like Discord and Telegram.
StealC also targets a wide range of sensitive information, including cryptocurrency wallets for Bitcoin and Ethereum, and cloud accounts for Amazon Web Services (AWS) and Azure. Additionally, it can steal credentials from VPN services like ProtonVPN, access gaming accounts, and take screenshots of the victim’s desktop.
Protecting Against Social Media Scams
This attack method, created by Red Team researcher mr.d0x, exploits users’ fear of losing account access to pressure them into acting quickly. The technique is part of a larger family of attacks that trick users into pasting malicious commands into system dialogs.
Users should treat all urgent account suspension alerts with caution and verify any notifications directly on the official platform. Never paste commands into File Explorer or other system prompts unless you are absolutely certain of their origin and purpose.
