A sophisticated new variation of cyberattacks emerged in July 2025, exploiting a critical vulnerability in how Chrome and Microsoft Edge<\/a> handle webpage saving functionality.<\/p>\n The attack, dubbed \u201cFileFix 2.0,\u201d bypasses Windows\u2019 Mark of the Web (MOTW) security feature by leveraging legitimate browser saving mechanisms combined with HTML Application (HTA) execution.<\/p>\n The discovery comes amid a dramatic surge in social engineering attacks this year. <\/p>\n According to the latest ESET Threat Report,\u00a0ClickFix attacks<\/a>, the predecessor to FileFix, <\/span>skyrocketed by 517% in the first half of 2025, becoming the second most common attack vector after phishing and accounting for nearly 8% of all blocked attacks.<\/span><\/p>\n This explosive growth demonstrates a growing reliance by threat actors on psychological manipulation rather than purely technical exploits.<\/p>\n The new attack variant exploits a previously unknown behavior in Chrome and Microsoft Edge browsers. <\/p>\n When users save webpages using Ctrl+S with \u201cWebpage, Single File\u201d or \u201cWebpage, Complete\u201d formats selected, files with HTML or XHTML+XML MIME types are saved without MOTW protection, the Windows security<\/a> feature that warns users about potentially dangerous files from the internet.<\/p>\n Cybersecurity researcher mr.d0x, who first documented the original FileFix attack<\/a>, has now revealed this more insidious variation<\/a> that combines browser functionality with HTML Applications (HTA) files.<\/p>\n Unlike traditional malware delivery methods, this technique doesn\u2019t require victims to disable security features or ignore warning messages.<\/p>\n The attack\u2019s social engineering component is particularly clever. Threat actors create legitimate-looking websites that mimic popular online services, displaying what appears to be multi-factor authentication backup codes. <\/p>\n The pages instruct users to save the codes locally using Ctrl+S, specifically naming the file with a \u201c.hta\u201d extension for \u201cproper storage\u201d.<\/p>\n The deceptive interface presents familiar elements styled to resemble Google or Microsoft authentication pages, complete with numbered backup codes and professional instructions.<\/p>\n Victims, believing they\u2019re securely storing necessary security credentials, unknowingly download and execute malicious HTML Applications that can run arbitrary commands<\/a> on their systems.<\/p>\n MOTW traditionally serves as Windows\u2019 first line of defense against internet-downloaded threats. When files carry this mark, Windows displays security warnings or blocks execution entirely. <\/p>\n However, the FileFix 2.0 technique circumvents this protection through legitimate browser behavior. The vulnerability stems from browsers\u2019 handling of specific MIME types during the save operation. <\/p>\n While most file types receive MOTW protection, HTML and XHTML+XML content saved through browser \u201cSave As\u201d functionality bypasses this security measure entirely. This creates an execution pathway that appears legitimate to both security software and users.<\/p>\n HTML Applications represent a legacy Windows feature that continues to pose security risks in 2025. <\/p>\n These files execute with full system privileges, essentially functioning as desktop applications<\/a> while maintaining HTML-based interfaces. Despite their age, HTA files remain supported across all Windows versions, including Windows 11.<\/p>\n Recent cybersecurity research indicates renewed interest in HTA-based attacks among threat actors. <\/p>\n The Hancitor malware family and various nation-state groups have incorporated HTA files into their attack chains, leveraging the format\u2019s ability to execute PowerShell commands, download additional payloads, and establish persistent access to compromised systems.<\/p>\nKey Points<\/mark><\/strong>
1. Saving HTML pages as \"Webpage, Complete\" or \"Webpage, Single File\" in Chrome or Edge with certain MIME types results in files without Mark-of-the-Web (MOTW) protection.
2. Attackers trick users into saving these files as .hta (HTML Application) files, which can execute malicious scripts without warnings.
3. Social engineering, such as fake backup code pages, prompts users to save and open these dangerous files.
4. Blocking or removing mshta.exe stops these .hta files from running and prevents the attack.<\/pre>\nSocial Engineering Through Fake Backup Codes<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjapA3hh0W2kmlmleq66e4P99kvcFbyrsl8msYTxsBBQbBzM-JxOoeD9D00SwQe6mN9kG5IJC8H96sbEH0HTEV63x5icgAtHReh3rAwpYn3pGDJQgo03Qy5mouwO6dKb0usmOVb2ffHHd-k-sKPKwMttrmyZZ6U8U6610zXnUzIiToOh22BA0rRtuNyh9j8\/s16000\/weaponization-4.png?ssl=1\")
HTA Files: A Persistent Attack Vector<\/strong><\/h2>\n