Skip to content
WhySoGeek.
Cybersecurity

FileFix Attack: The Paste-Into-Explorer Scam

FileFix tricks you into pasting a hidden PowerShell command into File Explorer's address bar. Here is how the attack works and how to shut it down.

Sam Carter 8 min read
Cover image for FileFix Attack: The Paste-Into-Explorer Scam
Photo: Niv from Tel-Aviv, Israel / wikimedia (BY-SA 2.0)

If a website ever tells you to copy something and paste it into your File Explorer address bar, close the tab. That single instruction is the entire FileFix attack, and it hands attackers a shell on your PC without a single downloaded file to scan.

Quick answer

FileFix is a social engineering trick where a booby-trapped webpage opens File Explorer and silently copies a disguised PowerShell command to your clipboard. When you paste into the Explorer address bar, Windows runs it and installs malware. The defense is simple: never paste anything you did not personally copy into the File Explorer address bar or the Run dialog, no matter what a webpage claims.

Key takeaways

  • FileFix runs a command you paste, not a file you download, so antivirus has nothing to scan up front.
  • It abuses the File Explorer address bar, which cannot be locked down the way the Run box sometimes is.
  • Payloads launched this way carry no Mark of the Web, so Windows SmartScreen never warns you.
  • The only reliable defense is a rule: never paste commands from a website into Explorer or Run.
  • Real payloads seen in 2026 include LummaC2, Rhadamanthys, and StealC infostealers.

What FileFix actually is

FileFix is the successor to ClickFix, a scam that has dominated social engineering since 2025. Security researcher mr.d0x published the FileFix technique on June 23, 2025, and within two weeks Check Point Research spotted a known threat actor testing it against real victims.

The premise is psychological, not technical. The attacker does not break into your computer. They convince you to run their command yourself, then dress that command up as a routine step: "verify you are human," "fix a display error," or "open the shared document."

Here is the sequence on a malicious page:

  1. The page shows a fake prompt, often a bogus document-sharing screen that says "copy the file path below to open the document."
  2. You click a button. JavaScript quietly writes a long PowerShell command to your clipboard.
  3. The same click opens a real File Explorer window through a standard file-upload dialog.
  4. You paste into the address bar expecting a folder path. Windows treats the pasted text as a command and executes it.

The clipboard text is padded with spaces and comment characters so the visible part looks like an innocent path such as C:\CompanyDocs\Q2-report. The malicious PowerShell scrolls off to the right where you never see it.

Close-up of the Windows File Explorer address bar where a pasted command would execute
Photo: snsf_scientific_image_competition / flickr (BY-NC-ND 2.0)

Why it slips past your defenses

FileFix is dangerous precisely because it dodges the safety nets people rely on. If you understand why, the "never paste" rule stops feeling paranoid and starts feeling obvious.

Defense you expect to helpWhy FileFix beats it
Antivirus scanning downloadsNothing is downloaded; you type a command in yourself
SmartScreen / Mark of the WebPrograms launched from Explorer carry no web-origin tag
Blocking the Run dialogFileFix uses the Explorer address bar, which cannot be disabled
"Look for bad grammar" phishing trainingThe lure is a clean, believable UI, not a typo-ridden email

The ClickFix predecessor used the Windows Run dialog (Win+R). Some managed environments disable Run through Group Policy, so attackers pivoted. The File Explorer address bar accepts and executes commands the same way but is a core feature nobody can turn off, which is exactly why FileFix is harder to stamp out.

How to tell you are being targeted

The tell is always an instruction to paste something you did not copy. Legitimate software never asks you to open File Explorer and paste a command into the address bar. Watch for these framings:

  • "To view this document, press Win+E, then paste (Ctrl+V) in the address bar."
  • "Human verification: copy the code below and paste it into File Explorer."
  • "Your browser is out of date. Paste this into Explorer to update."
  • A fake CAPTCHA that says "I am not a robot" but then gives copy-paste steps.

Any of these is the whole attack. The closely related ClickFix fake-CAPTCHA scam uses the identical playbook through the Run box, so treat both the same way.

If you already pasted and ran it

Assume the malware ran and move fast, because the common payloads are infostealers that grab saved passwords and browser cookies within seconds.

  1. Disconnect the machine from the internet immediately (pull Wi-Fi or the cable).
  2. From a different, clean device, change the passwords for your email, bank, and any account whose password lives in your browser.
  3. Sign out of all sessions everywhere so stolen cookies stop working, then re-enable phishing-resistant MFA.
  4. Run a full offline scan with a reputable tool, and if anything is found, consider a clean reinstall of Windows.
  5. Because stolen browser cookies bypass MFA, review our guide to infostealer session-cookie theft for the full cleanup.

What to do right now

Lock in the habit before you ever meet a FileFix page:

  • Adopt one flat rule: never paste a command from a website into File Explorer, the Run dialog, or a terminal.
  • If a page gives you copy-paste "verification" or "fix" steps, close it and reach the service through its real app or a bookmark.
  • Turn on controlled folder access and cloud-delivered protection in Windows Security.
  • Keep browser extensions to a minimum and audit them, since some quietly enable clipboard tricks; see auditing browser extensions.
  • Warn family and coworkers using the exact phrase: "If a site tells you to paste something into Explorer, it is a scam."

Frequently asked questions

Is FileFix a virus I can catch by visiting a site?

No. Visiting the page alone does not infect you. The malware only runs if you personally copy the attacker's text and paste it into File Explorer or the Run box and press Enter. Your active participation is the exploit.

Does this only affect Windows?

The File Explorer address bar version is Windows-specific, but the underlying "paste this command" con has macOS and Linux variants that use the Terminal instead. The rule is the same on every system: never run a command a website hands you.

Will antivirus stop it?

Not reliably at the first step, because you are the one launching the command and there is no file to scan. Behavior-based endpoint protection may catch the payload after it runs, but by then an infostealer has often already grabbed your credentials.

How is FileFix different from ClickFix?

ClickFix funnels you into the Run dialog (Win+R). FileFix uses the File Explorer address bar, which cannot be disabled and produces no SmartScreen warning. Both rely on you pasting and running the attacker's command, so the same defense covers both.

#social-engineering#malware#windows

Sources & further reading

Keep reading