Researchers at cybersecurity firm Acronis have discovered an active FileFix campaign that exploits fake Facebook pages. The attackers create highly convincing pages and deploy advanced techniques to evade detection and reach victims worldwide.

According to the report published by Acronis, the phishing campaign detected is a rare example of a Fix attack, in which victims are tricked into executing malicious code under the guise of “fixing” an issue. In this case, the attackers leveraged the file upload feature to run commands on the victim’s device in what is known as a FileFix attack — a term first introduced by cybersecurity expert mr.d0x just a few months ago.

“The discovered attack not only leverages FileFix, but, to our knowledge, is the first example of such an attack that does not strictly adhere to the design of the original proof of concept (POC) demonstrated by Mr. d0x in July, 2025,” wrote Eliad Kimhy, Cybersecurity expert at Acronis.

Kimhy noted that the attackers likely masquerade as Facebook security and send phishing emails that redirect recipients to an elaborate fake page.

Once on the phishing site, victims are led to believe that their Facebook account has been reported and will be suspended within seven days unless they submit an appeal.

“When the victim chooses to appeal, they are told that a PDF file has been shared with them by the Meta team,” said Kimhy. “To view the file, and, within it, the instructions for appealing their suspension, they are asked to ‘open File Explorer’ and paste the file path to the PDF file.”

In reality, this opens a file upload window, and the path pasted into the address bar acts as the payload — the script that installs malware. Once executed, the StealC malware is installed, capable of accessing cryptocurrency wallets, cloud credentials, messaging apps, and even downloading additional malware.

“From start to finish, the attackers behind this threat had put a lot of effort into every aspect of the attack,” said Kimhy.

The researcher notes that the attack has been expanding and targeting victims worldwide as it has taken a multilingual approach, with phishing pages observed in 16 languages, including Spanish, German, French, and Russian.

Kimhy emphasized that while this FileFix case is both rare and novel, the more common variant of Fix attacks, ClickFix, has surged by 500% in recent months. In March, a ClickFix campaign exploited Microsoft SharePoint.