We earn commissions from the links, which influence where and how listings are displayed. Some providers are co-owned by our parent company.
Learn more
The How To Guide was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of cybersecurity researchers, writers, and editors continues to help readers maintain their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on The How To Guide are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and detailed examination by the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

The How To Guide was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of cybersecurity researchers, writers, and editors continues to help readers maintain their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on The How To Guide are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and detailed examination by the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Fake Facebook Pages Used in FileFix Infostealer Campaign

Fake Facebook Pages Used in FileFix Infostealer Campaign
Author Image Andrea Miliani
Andrea Miliani Published on September 19, 2025 Cybersecurity Researcher

Researchers at cybersecurity firm Acronis have discovered an active FileFix campaign that exploits fake Facebook pages. The attackers create highly convincing pages and deploy advanced techniques to evade detection and reach victims worldwide.

According to the report published by Acronis, the phishing campaign detected is a rare example of a Fix attack, in which victims are tricked into executing malicious code under the guise of “fixing” an issue. In this case, the attackers leveraged the file upload feature to run commands on the victim’s device in what is known as a FileFix attack — a term first introduced by cybersecurity expert mr.d0x just a few months ago.

“The discovered attack not only leverages FileFix, but, to our knowledge, is the first example of such an attack that does not strictly adhere to the design of the original proof of concept (POC) demonstrated by Mr. d0x in July, 2025,” wrote Eliad Kimhy, Cybersecurity expert at Acronis.

Kimhy noted that the attackers likely masquerade as Facebook security and send phishing emails that redirect recipients to an elaborate fake page.

Once on the phishing site, victims are led to believe that their Facebook account has been reported and will be suspended within seven days unless they submit an appeal.

“When the victim chooses to appeal, they are told that a PDF file has been shared with them by the Meta team,” said Kimhy. “To view the file, and, within it, the instructions for appealing their suspension, they are asked to ‘open File Explorer’ and paste the file path to the PDF file.”

In reality, this opens a file upload window, and the path pasted into the address bar acts as the payload — the script that installs malware. Once executed, the StealC malware is installed, capable of accessing cryptocurrency wallets, cloud credentials, messaging apps, and even downloading additional malware.

“From start to finish, the attackers behind this threat had put a lot of effort into every aspect of the attack,” said Kimhy.

The researcher notes that the attack has been expanding and targeting victims worldwide as it has taken a multilingual approach, with phishing pages observed in 16 languages, including Spanish, German, French, and Russian.

Kimhy emphasized that while this FileFix case is both rare and novel, the more common variant of Fix attacks, ClickFix, has surged by 500% in recent months. In March, a ClickFix campaign exploited Microsoft SharePoint.

About the Author

  • Author Image Andrea Miliani
  • Andrea Miliani Cybersecurity Researcher

Andrea is a seasoned tech journalist with a growing passion for cybersecurity, covering cyberattacks, AI breakthroughs, and the latest trends shaping the future of technology.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

This field must contain more than 50 characters

The field content should not exceed 1000 letters

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Special characters are not allowed in the Name field

Please enter a valid email address