Researchers have detected a new wave of FileFix social engineering attacks that use cache smuggling, a technique that allows malicious files to be hidden in the browser cache. This technique allows you to bypass most security systems without creating any visible downloads.
The campaign disguises itself as “**Fortinet VPN Compliance Checker**”. The victim is asked to paste a supposedly legitimate path to a corporate application into the Windows file explorer, which actually contains a hidden PowerShell command.
After pressing Enter, it silently runs a script that:
creates the folder %LOCALAPPDATA%\FortiClient\compliance;
copies the Chrome cache to a new directory;
searches the cache for hidden ZIP archives “sewn” into fake JPEG images;
unpacks them and runs the malicious FortiClientComplianceChecker.exe.
The cache smuggling technique allows attackers to pre-place an infected archive in the browser cache, marking it as an “image”. Thanks to this, the security system does not perceive the action as a download, and the antivirus does not perceive it as a threat.
Researcher Marcus Hutchins (Expel) explains: none of the stages contain direct web requests, so the scripts remain “clean” for signature systems. This method has been actively picked up by groups distributing infostealers and ransomware, in particular DeerStealer and Odyssey.
FileFix is an updated version of the ClickFix technique created by hacker Mr.d0x. It manipulates the user by forcing him to manually run commands in system dialogs.
In parallel, researchers from Palo Alto Unit 42 discovered ClickFix Generator, a set of tools that allows criminals to create phishing pages that imitate services such as Cloudflare, Microsoft 365, Teams, Speedtest, Claude, etc.
The generator interface allows you to select a color scheme, change texts, and generate Base64 commands for macOS or PowerShell for Windows.
FileFix with cache manipulation is a prime example of how social engineering combines with technical tricks. Users should never copy commands from websites into system dialogs, even if they look official. Companies are advised to update security policies, train employees, and filter potentially malicious PowerShell calls.
