FileFix Campaign Expands Fix Attack Family With StealC Delivery
Acronis’ Threat Research Unit has documented the first real-world deployment of FileFix, a successor to the ClickFix social engineering technique. Unlike ClickFix, which tricks users into pasting malicious commands into the Windows Run dialog, FileFix abuses the universal file upload window, where victims are manipulated into pasting what appears to be a legitimate file path into the address bar. The campaign leverages phishing sites disguised as Facebook Security pages, warning of imminent account suspension and urging users to retrieve appeal instructions from a supposed PDF file. Instead, the “path” conceals fragmented and obfuscated PowerShell commands, padded with whitespace to hide malicious execution. At the same time, the broader infrastructure employs advanced obfuscation—compressing 18,000 lines of malicious JavaScript into just 12—and localization across 16 languages, indicating a well-funded actor with an intent to target diverse geographies. The attack chain introduces steganography as a delivery method, embedding malicious scripts in AI-generated JPG images hosted on BitBucket, which are then decrypted and executed in memory to stage further payloads. These scripts extract DLLs and executables that launch under conhost[.]exe, self-delete within minutes, and throw fake “file cannot be opened” errors to divert suspicion. The final stage employs a Go-based loader with encrypted API calls, anti-VM checks, and modular shellcode execution to deliver StealC, a mature stealer that targets over a dozen browsers, multiple cryptocurrency wallets, cloud credentials, messaging clients, and VPN applications. StealC’s breadth enables both credential harvesting and large-scale data exfiltration across both enterprise and consumer targets. Campaign telemetry from VirusTotal reveals submissions spanning the U.S., Europe, and Asia, confirming FileFix’s global scope. To mitigate, organizations should implement strict attachment and script-blocking policies for inbound email, coupled with endpoint monitoring to detect unauthorized JavaScript or PowerShell execution from temporary directories.
PureHVNC RAT Developers Exploit GitHub Repositories to Advance Malware Ecosystem
Check Point Research has uncovered that the developers behind the PureHVNC remote access trojan (RAT) are abusing GitHub repositories to host components of their Pure malware family, directly tying the malware's infrastructure to the author, known as PureCoder. During an eight-day ClickFix phishing campaign, attackers lured victims with fake job offers that delivered a Rust loader and multiple PureHVNC RAT instances before deploying the Sliver C2 framework. PureHVNC maintained persistence through scheduled tasks and encrypted communications, exfiltrating antivirus details, OS information, and application data in compressed 16 KB chunks. Analysis revealed a modular plugin system stored in registry keys, integration with PureCrypter for obfuscation, and the ability to enable hidden remote access, keylogging, webcam capture, reverse proxying, and DDoS functionality. Notably, the RAT contacted hardcoded GitHub URLs embedded in its builder, indicating that PureCoder, rather than affiliates, operates these accounts. Metadata from commits placed the developer in the UTC+0300 timezone, likely Eastern Europe or Western Asia, offering attribution leads. The Pure malware ecosystem is actively sold via Telegram channels and forums, giving cybercriminals a ready-made toolkit for espionage, financial theft, and disruption. Hosting malware modules on GitHub provides high availability, legitimate HTTPS coverage, and simplified version control; however, it also leaves investigators with a traceable footprint through commit patterns and account activity. Organizations should monitor for suspicious GitHub API traffic, enforce detections on scheduled tasks invoking GitHub resources, and strengthen endpoint monitoring against PowerShell execution, AMSI bypasses, and Rust-based loaders. Proactive threat hunting for emerging Pure malware variants and enforcing strict code-source validation can help organizations stay ahead of PureCoder’s evolving tradecraft.
RevengeHotels Evolves with AI-Generated Loaders and VenomRAT in Hospitality Sector Attacks
RevengeHotels (TA558) has escalated its long-standing hospitality-focused campaigns by leveraging AI-generated loader scripts and deploying the advanced VenomRAT implant against Windows systems. The infection chain begins with phishing emails themed around overdue invoices or fake job applications, targeting hotel reservation and HR accounts. Victims redirected to attacker-controlled portals receive modular JavaScript loaders—often generated by large language models—that download and execute PowerShell scripts in memory. These scripts fetch obfuscated payloads, which ultimately load VenomRAT directly into memory, thereby bypassing disk-based detection. VenomRAT expands on QuasarRAT’s feature set, offering hidden VNC, reverse proxy, UAC exploitation, file theft, and anti-forensic measures, including event log clearing and Defender termination. Persistence is achieved through registry RunOnce keys, looping VBS scripts, and even critical process designation, while network communications are encrypted, compressed, and tunneled through ngrok to bypass perimeter defenses. This marks a significant evolution from RevengeHotels’ earlier campaigns, which relied on malicious document attachments exploiting vulnerabilities to deliver RAT families including RevengeRAT, NjRAT, and ProCC. Over time, the group expanded its arsenal with tools before transitioning to VenomRAT as its primary payload. Campaigns have consistently targeted Brazil but now include Spanish-speaking markets across Latin America, with phishing lures crafted in multiple languages to broaden reach. The use of AI-generated scripts reflects a growing trend in cybercrime, where less technically skilled operators can scale attacks with cleaner, modular, and easily modified code. Infrastructure also demonstrates adaptive resilience, using Portuguese-themed rotating domains and legitimate hosting services to avoid blacklisting. Organizations can mitigate this by enforcing advanced email security, including sandboxing for attachments, blocking script-based loaders, and monitoring hotel reservation and HR inboxes for invoice-themed phishing attempts.
Python-Based XillenStealer Emerges as Modular, Open-Source Threat Targeting Windows Users and Crypto Wallets
XillenStealer, discovered by Cyfirma researchers, is a new Python-based information stealer attributed to the Russian-speaking group Xillen Killers. It is designed to harvest sensitive data from Windows users, including browser credentials, Discord tokens, Steam accounts, Telegram sessions, and cryptocurrency wallets. Distributed through the “XillenStealer Builder V3.0” interface with a Tkinter GUI, the malware enables even low-skilled operators to configure payloads, authenticate builds via SHA-256 hashing, and exfiltrate data through Telegram bots. Its modular structure allows selective targeting of applications and services, while persistence is achieved through scheduled tasks disguised as system maintenance. XillenStealer also integrates multiple evasion methods, including checking for virtualization environments, detecting sandbox drivers, and identifying forensic/debugging tools, while attempting limited process injection into explorer[.]exe to blend in with normal Windows processes. The malware’s data exfiltration workflow is highly structured. It queries browser SQLite databases, decrypts stored credentials, and generates HTML and text reports before transmitting them via Telegram. To ensure large datasets are delivered reliably, XillenStealer splits archives into sub-45MB segments for efficient transfer and deletes local traces after upload. Publicly available on GitHub under the developer alias BengaminButton, the malware lowers the barrier to entry and highlights the growing professionalization of cybercrime ecosystems, with features such as builders, documentation, and community support. Mitigation requires deploying behavior-based endpoint detection capable of flagging unauthorized database access, process injection attempts, and suspicious Telegram traffic. Organizations should also enforce least-privilege policies, monitor for persistence mechanisms including rogue scheduled tasks, and conduct regular user awareness training to prevent infections from software sourced outside trusted repositories.