A new, silent social engineering attack is being used by hackers – and your security systems might not notice until it’s too late
Malicious actors are already using FileFix technique in malware-delivery dummy runs, Check Point claims
Cybersecurity researchers at Check Point have identified a new, insidious social engineering technique that requires almost no user interaction.
The FileFix technique builds on an already widely used tactic called ClickFix, which according to Check Point tricks users into running malicious commands in the Windows Run dialog.
FileFix, meanwhile, opens a Windows File Explorer window from a web page and surreptitiously loads a disguised PowerShell command into their clipboard.
“When the victim pastes into the Explorer address bar, the malicious command executes,” researchers explained. “This attack relies not on software vulnerabilities but on exploiting routine user actions and trust.”
The researchers added that they have now observed known bad actors using FileFix in the wild. While the payloads are currently benign, they suggest this signals “an imminent shift to delivering real malware”.
“The rapid rise of the ClickFix technique in 2025 highlights that social engineering remains one of the most cost-effective and enduring methods cyber criminals use to breach defenses,” the researchers said.
“The fact that FileFix is already being tested and used in the wild mere days after its public disclosure shows how quickly attackers adopt new techniques and adapt to the evolving cyber threat landscape.”
Commenting on the Check Point findings, Dray Agha, senior manager of security operations at cyber security firm Huntress, said: “Threat actors [are] rapidly iterating to leverage foundational Windows workflows, making defenses that much harder to deploy”.
“By tricking users into 'pasting a path,' attackers execute malicious PowerShell without triggering standard warnings,” he added.
Agha warned that Huntress has also seen FileFix being used “aggressively in the wild, and it is succeeding in tricking users in huge numbers”.
How to protect yourself from FileFix
Check Point has laid out recommendations for security professionals to help protect against this attack, including:
- Monitoring phishing pages that mimic popular services and security verification screens, especially those using “Cloudflare-like” templates
- Implementing and fine-tuning detection rules to flag suspicious clipboard activity or unusual PowerShell executions triggered by user actions.
- Staying current with emerging social engineering trends and regularly updating user training, incident response plans, and security playbooks.
It also suggests encouraging “a culture of verification”, which will lead users to confirm unexpected or unusual requests with the relevant IT or security team before acting.
Users themselves should be “highly suspicious” of any web page or email that asks them to carry out unusual activity – especially copying and pasting.
They should also be educated that legitimate websites and software “rarely require manual execution of commands to fix issues”.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers are using fake tool installers to dupe victims
- Why social engineering is such a problem and how your business can protect itself
- Hackers are using PDFs to impersonate big brands in a new threat campaign
-
Marc Benioff says hiring in software engineering is ‘mostly flat’ at Salesforce because of AINews Salesforce CEO Marc Benioff has revealed hiring for software engineering has dipped as a result of AI, but the CRM giant is ramping up recruitment in other key areas to push its agentic agenda.
-
Are AI browsers a golden opportunity or cybersecurity nightmare?In-depth AI browsers are on the rise despite the concrete risks associated with using them
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
-
Supply chain and AI security in the spotlight for cyber leaders in 2026News Organizations are sharpening their focus on supply chain security and shoring up AI systems
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Warning issued as surge in OAuth device code phishing leads to M365 account takeoversNews Successful attacks enable full M365 account access, opening the door to data theft, lateral movement, and persistent compromise
-
Amazon CSO Stephen Schmidt says the company has rejected more than 1,800 fake North Korean job applicants in 18 months – but one managed to slip through the netNews Analysis from Amazon highlights the growing scale of North Korean-backed "fake IT worker" campaigns
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
Complacent Gen Z and Millennial workers are more likely to be duped by social engineering attacksNews Overconfidence and a lack of security training are putting organizations at risk
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
