Cybersecurity researchers at Check Point have identified a new, insidious social engineering technique that requires almost no user interaction.
The FileFix technique builds on an already widely used tactic called ClickFix, which according to Check Point tricks users into running malicious commands in the Windows Run dialog.
FileFix, meanwhile, opens a Windows File Explorer window from a web page and surreptitiously loads a disguised PowerShell command into their clipboard.
“When the victim pastes into the Explorer address bar, the malicious command executes,” researchers explained. “This attack relies not on software vulnerabilities but on exploiting routine user actions and trust.”
The researchers added that they have now observed known bad actors using FileFix in the wild. While the payloads are currently benign, they suggest this signals “an imminent shift to delivering real malware”.
“The rapid rise of the ClickFix technique in 2025 highlights that social engineering remains one of the most cost-effective and enduring methods cyber criminals use to breach defenses,” the researchers said.
“The fact that FileFix is already being tested and used in the wild mere days after its public disclosure shows how quickly attackers adopt new techniques and adapt to the evolving cyber threat landscape.”
Commenting on the Check Point findings, Dray Agha, senior manager of security operations at cyber security firm Huntress, said: “Threat actors [are] rapidly iterating to leverage foundational Windows workflows, making defenses that much harder to deploy”.
“By tricking users into 'pasting a path,' attackers execute malicious PowerShell without triggering standard warnings,” he added.
Agha warned that Huntress has also seen FileFix being used “aggressively in the wild, and it is succeeding in tricking users in huge numbers”.
How to protect yourself from FileFix
Check Point has laid out recommendations for security professionals to help protect against this attack, including:
- Monitoring phishing pages that mimic popular services and security verification screens, especially those using “Cloudflare-like” templates
- Implementing and fine-tuning detection rules to flag suspicious clipboard activity or unusual PowerShell executions triggered by user actions.
- Staying current with emerging social engineering trends and regularly updating user training, incident response plans, and security playbooks.
It also suggests encouraging “a culture of verification”, which will lead users to confirm unexpected or unusual requests with the relevant IT or security team before acting.
Users themselves should be “highly suspicious” of any web page or email that asks them to carry out unusual activity – especially copying and pasting.
They should also be educated that legitimate websites and software “rarely require manual execution of commands to fix issues”.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers are using fake tool installers to dupe victims
- Why social engineering is such a problem and how your business can protect itself
- Hackers are using PDFs to impersonate big brands in a new threat campaign
-
Channel leaders: Complexity is an opportunityNews Complexity, customer expectations, and competitive pressure are converging rapidly. Partners must invest in AI and automation now for both strategic and survival reasons, argue channel leaders
-
Disability pride in IT: How leaders can better understand workersDisability pride is a burgeoning movement in the tech sector – and one that should be embraced by leadership
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Third time lucky? The FBI just took down BreachForums, againNews The hacking forum is down for now, but the group behind it, Scattered Lapsus$ Hunters, isn't going to stop extorting victims of the Salesforce breach
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber skills shortages are pushing firms into dangerous shortcuts – and it’s putting them at huge risk of security breachesNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Pentesters are now a CISOs best friend as critical vulnerabilities skyrocketNews Attack surfaces are expanding rapidly, but pentesters are here to save the day
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
