Meta account‑suspension scam deploys FileFix malware
Researchers at Acronis disclosed a phishing campaign called FileFix that impersonates Meta support and tricks victims into pasting a disguised PowerShell command into the Windows File Explorer address bar. The command fetches an obfuscated payload (staged on Bitbucket) that ultimately installs the StealC infostealer, which harvests browser credentials, authentication cookies, messaging‑app data, cryptocurrency wallets and cloud credentials (AWS/Azure). The tactic—credited to a Red Team researcher known as mr.d0x—has been observed in multiple rapidly evolving variants and poses a direct threat to Facebook/Instagram users and organizations relying on compromised credentials.
AI & Tech
Cybersecurity
🔍 Key Facts
- Acronis researchers reported the FileFix campaign on Oct. 2, 2025 and attributed the technique to researcher/operator mr.d0x.
- Attack vector: victims are lured by a fake Meta 'incident report' and instructed to paste a long PowerShell command (hidden behind a fake file path) into the File Explorer address bar, triggering execution.
- Payload: the command downloads an obfuscated file from Bitbucket that extracts and decrypts the StealC infostealer, which targets browsers (Chrome, Firefox, Opera), messaging apps (Discord, Telegram), VPNs, crypto wallets and cloud accounts (AWS/Azure).