It started with fake CAPTCHAs—clever little “prove you’re human” pop-ups that tricked users into granting permissions or pasting malicious commands. That technique, dubbed ClickFix, relied on social engineering to turn a harmless-looking interaction into a security breach.
Now, attackers have taken that formula and supercharged it. FileFix, spotted by Check Point Research, builds on the ClickFix model but removes friction. Instead of just copying a malicious command to your clipboard, FileFix automatically launches Windows File Explorer using the file:// protocol. At the same time, it places a PowerShell command disguised as a file path into your clipboard.
From there, it’s pure psychology: users are conditioned to paste a copied path into the Explorer address bar and hit Enter. But instead of opening a folder, the hidden PowerShell command executes—often with no visible signs anything happened. Current tests have used benign payloads, but it’s only a matter of time before real malware replaces them.
This evolution from ClickFix to FileFix shows how phishing techniques adapt. Attackers don’t just invent new tricks—they refine ones that already work, making them faster, smoother, and more convincing. Fake CAPTCHAs were effective because they felt routine; FileFix is even more dangerous because it feels like you’re just navigating your own PC.
Protecting against FileFix starts with awareness. No legitimate site will ever tell you to paste commands into File Explorer. Treat unexpected Explorer pop-ups as red flags, verify instructions with IT before acting, and configure endpoint security to flag unexpected PowerShell executions.
Reference: Check Point
