When users save webpages using Ctrl+S with “Webpage, Single File” or “Webpage, Complete” formats selected, files with HTML or XHTML+XML MIME types are saved without MOTW protection, the Windows security feature that warns users about potentially dangerous files from the internet. The attack, dubbed “FileFix 2.0,” bypasses Windows’ Mark of the Web (MOTW) security feature by leveraging legitimate browser saving mechanisms combined with HTML Application (HTA) execution. FileFix 2.0 represents a concerning evolution in social engineering attacks, demonstrating how threat actors continue to find novel ways to bypass security controls through creative exploitation of legitimate system features. Cybersecurity researcher mr.d0x, who first documented the original FileFix attack, has now revealed this more insidious variation that combines browser functionality with HTML Applications (HTA) files. While most file types receive MOTW protection, HTML and XHTML+XML content saved through browser “Save As” functionality bypasses this security measure entirely. The intersection of legitimate browser functionality with malicious intent creates attack vectors that challenge traditional security assumptions and require adaptive defensive approaches. Victims, believing they’re securely storing necessary security credentials, unknowingly download and execute malicious HTML Applications that can run arbitrary commands on their systems. The Hancitor malware family and various nation-state groups have incorporated HTA files into their attack chains, leveraging the format’s ability to execute PowerShell commands, download additional payloads, and establish persistent access to compromised systems. According to the latest ESET Threat Report, ClickFix attacks, the predecessor to FileFix, skyrocketed by 517% in the first half of 2025, becoming the second most common attack vector after phishing and accounting for nearly 8% of all blocked attacks. The original ClickFix technique, which tricks users into executing malicious PowerShell commands disguised as troubleshooting steps, has spawned numerous variants targeting different operating systems and attack scenarios. HTML Applications represent a legacy Windows feature that continues to pose security risks in 2025.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Jul 2025 07:05:17 +0000