A new, silent social engineering attack is being used by hackers – and your security systems might not notice until it’s too late

Woman using keyboard with illuminated keys in a darkened room.

(Image credit: Getty Images)

published 17 July 2025

Cybersecurity researchers at Check Point have identified a new, insidious social engineering technique that requires almost no user interaction.

The FileFix technique builds on an already widely used tactic called ClickFix, which according to Check Point tricks users into running malicious commands in the Windows Run dialog.

FileFix, meanwhile, opens a Windows File Explorer window from a web page and surreptitiously loads a disguised PowerShell command into their clipboard.

“When the victim pastes into the Explorer address bar, the malicious command executes,” researchers explained. “This attack relies not on software vulnerabilities but on exploiting routine user actions and trust.”

The researchers added that they have now observed known bad actors using FileFix in the wild. While the payloads are currently benign, they suggest this signals “an imminent shift to delivering real malware”.

“The rapid rise of the ClickFix technique in 2025 highlights that social engineering remains one of the most cost-effective and enduring methods cyber criminals use to breach defenses,” the researchers said.

“The fact that FileFix is already being tested and used in the wild mere days after its public disclosure shows how quickly attackers adopt new techniques and adapt to the evolving cyber threat landscape.”

Commenting on the Check Point findings, Dray Agha, senior manager of security operations at cyber security firm Huntress, said: “Threat actors [are] rapidly iterating to leverage foundational Windows workflows, making defenses that much harder to deploy”.

“By tricking users into 'pasting a path,' attackers execute malicious PowerShell without triggering standard warnings,” he added.

Agha warned that Huntress has also seen FileFix being used “aggressively in the wild, and it is succeeding in tricking users in huge numbers”.

How to protect yourself from FileFix

Check Point has laid out recommendations for security professionals to help protect against this attack, including:

Monitoring phishing pages that mimic popular services and security verification screens, especially those using “Cloudflare-like” templates
Implementing and fine-tuning detection rules to flag suspicious clipboard activity or unusual PowerShell executions triggered by user actions.
Staying current with emerging social engineering trends and regularly updating user training, incident response plans, and security playbooks.

It also suggests encouraging “a culture of verification”, which will lead users to confirm unexpected or unusual requests with the relevant IT or security team before acting.

Users themselves should be “highly suspicious” of any web page or email that asks them to carry out unusual activity – especially copying and pasting.

They should also be educated that legitimate websites and software “rarely require manual execution of commands to fix issues”.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Jane McCallion is Managing Editor of ITPro and ChannelPro, specializing in data centers, enterprise IT infrastructure, and cybersecurity. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.