Suspicious FileFix Execution Pattern

Rule Info

Name
Suspicious FileFix Execution Pattern
Author
0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms, which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content. The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
Reference
https://mrd0x.com/filefix-clickfix-alternative/
Date
2025-11-24 00:00:00
Modified
None
Id
b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
Tags
attack.execution attack.t1204.004
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5763 from @swachchhanda000 - Update ClickFix/FileFix related rules
2025-11-28
3e9318e23
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022