A wave of advanced phishing campaigns is exploiting a novel combination of social engineering and browser-cache manipulation to infiltrate systems without triggering typical security alerts.
The technique begins when a user is tricked into visiting a phishing webpage that pretends to be a trusted application—such as a VPN compliance checker. The danger lies in the instruction to copy and paste a network path into the Windows File Explorer address bar. What appears to be a benign path conceals a heavily-padded command string that launches a hidden PowerShell script. That script creates a folder in the user’s local application data directory, then proceeds to search the browser cache for payload data stored inside a fabricated image file. Once located, the data—actually a zipped archive—gets extracted and executed. Because the file was placed in the cache and no external download occurred at the moment of extraction, many endpoint detection and response systems fail to register any suspicious network activity or download event.
Security researchers at several firms have detailed this method, labelling the pairing of the “FileFix” social engineering approach with “cache smuggling” as particularly effective at bypassing established defences. The cache smuggling component embeds the malicious payload in what appears to be an innocuous JPEG image, cached by the browser after a JavaScript-driven image request. When the PowerShell script later scans the cache, it locates the ZIP archive and runs the installer or loader. This chain neatly sidesteps many detection tools which focus on monitoring network traffic or file downloads.
The evolution of the FileFix attack is significant. Originally a proof-of-concept framework that asked victims to paste a command into a system dialogue, the technique has matured into a full fledged malware delivery mechanism. One incident observed by analysts involved the use of steganography within a JPG image, multilingual phishing infrastructure, and multilayer payloads delivering a specialised infostealer designed to harvest browser data, wallets, messaging applications and cloud credentials.
Global targeting appears to be in motion. Phishing pages have been hosted on legitimate-looking, multilingual sites. Threat actors are automating creation of “Fix”-style attack kits, enabling rapid roll-out of variants. Among the payloads detected were ransomware-style modules and covert loaders capable of pivoting into broader infection networks. The attacker’s preference for skipping explicit downloads and network requests has elevated the campaign’s stealth profile.
Notice an issue?
Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don’t hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.