Overview

• Acronis reported an in‑the‑wild FileFix operation that impersonates Facebook Security with multilingual suspension warnings to coerce victims into pasting a copied string into File Explorer.
• Clicking a “Copy” button places a spaced‑out PowerShell command on the clipboard so only a benign‑looking path appears in the address bar before the script executes.
• The first stage fetches JPG images from Bitbucket that hide a plaintext PowerShell second stage and encrypted executables, enabling payload changes while leveraging a trusted host.
• A Go‑based loader performs sandbox checks, decrypts shellcode, and launches StealC v2, which targets browser credentials and cookies, messaging apps, cloud keys, VPNs, gaming clients, wallets, and screenshots.
• Researchers observed rapid iteration over roughly two weeks with multiple variants, infrastructure shifts, and VirusTotal submissions from many countries, and they advise user training plus controls to block and monitor browser‑spawned PowerShell and similar processes.