A dangerous new FileFix campaign is leveraging a technique called cache smuggling to deliver malware onto victims’ computers without triggering traditional security defenses. Researchers warn the tactic is being used in phishing lures that impersonate a Fortinet VPN compliance tool, with the goal of infiltrating enterprise networks.
The campaign was first spotted by independent researcher P4nd3m1cb0y and analyzed by cybersecurity firm Expel, with details published by Marcus Hutchins. Expel’s team says the attack demonstrates how social engineering tricks can be paired with browser cache manipulation to plant malware in ways that bypass antivirus and endpoint detection tools.
FileFix: From ClickFix to Cache Smuggling
FileFix is a variant of the ClickFix attack, originally created by security researcher Mr.d0x. ClickFix tricks users into pasting malicious commands into Windows dialogs. FileFix takes the idea further, using the Windows File Explorer address bar as the execution point for hidden PowerShell commands. This allows malware to run in the background without raising obvious red flags for the victim.
In this campaign, attackers disguise their lure as a Fortinet VPN Compliance Checker. Victims are told to copy and paste a network path that appears safe: \\Public\Support\VPN\ForticlientCompliance.exe. However, what actually lands on the clipboard is much longer. It is padded with 139 spaces that hide a malicious PowerShell script. When pasted into File Explorer, the path looks normal, but pressing Enter silently launches the hidden command with conhost.exe in headless mode.
How Cache Smuggling Delivers the Payload
The PowerShell script does not download malware directly. Instead, it creates a directory under %LOCALAPPDATA%\FortiClient\compliance and copies Chrome’s cache files into it. The script then scans the cache with regex patterns, looking for text markers “bTgQcBpv” and “mX6o0lBw.” Between those markers is a malicious ZIP file disguised as an image, which is extracted to ComplianceChecker.zip and unpacked.
This is possible because the phishing site had already forced the browser to fetch a so-called “image/jpeg” file through obfuscated JavaScript. The file wasn’t a picture at all but a compressed archive embedded in the cache. Since the browser treated it as a harmless image and stored it locally, no download was flagged. Later, the PowerShell script simply retrieved the data from the cache and executed the included malware.
“By letting the browser cache the fake image, the malware is able to get an entire zip file onto the local system without the PowerShell command needing to make any web requests,” Hutchins explained. This tactic bypasses tools that monitor for downloads or network connections, making it especially evasive.
Growing Interest from Attackers
Security experts warn that the technique is already being adopted. Similar to past ClickFix campaigns, cybercriminals are quick to repurpose new methods once they are disclosed. Researchers note that ransomware operators and infostealer distributors have been experimenting with FileFix, raising concerns about its potential spread in targeted attacks.
ClickFix Toolkits Broaden the Threat
To make matters worse, researchers at Palo Alto Unit 42 have discovered a toolkit called the IUAM ClickFix Generator. This kit lets attackers build custom phishing pages that mimic services like Cloudflare, Microsoft 365, and Speedtest. The generated lures trick users into copying hidden commands from fake CAPTCHAs or login checks. Depending on the operating system, these payloads can drop Windows infostealers like DeerStealer or Mac malware such as Odyssey.
Defenses and Recommendations
Experts recommend several defensive measures against FileFix and cache smuggling attacks. Security teams should monitor for unusual processes accessing browser cache directories, restrict PowerShell where possible, and deploy DNS filtering to block suspicious domains such as fc-checker[.]dlccdn[.]com. User education remains essential, since the attack relies heavily on tricking people into pasting commands they do not understand.
Enterprises are advised to review their security posture, ensuring that monitoring tools can detect hidden PowerShell execution, clipboard manipulation, and cache abuse. Raising awareness across employees about why copying commands from websites is dangerous may also reduce the success of these lures.
Why Cache Smuggling Matters
Cache smuggling takes advantage of how web browsers store files locally. By delivering a malicious ZIP archive disguised as a JPEG image, attackers bypass layers of security that focus on downloads and network traffic. Once stored, the payload can be activated later with a single hidden command. This combination of social engineering and technical trickery demonstrates how phishing campaigns continue to evolve, often outpacing traditional defenses.
The discovery highlights the need for ongoing vigilance. As Hutchins noted, this is “equal parts simple and complex” — simple for attackers to deploy, but complex enough to evade detection. Security teams should expect to see more campaigns adopt similar techniques in the months ahead.
