Tracking FileFix, Shadow Vector, and SideWinder

Nov. 11, 2025, 6:23 p.m.

Description

This intelligence report details collaborative research between Acronis Threat Research Unit and VirusTotal on three emerging cyber threats. FileFix, a variant of ClickFix, uses malicious websites to trick victims into running commands copied to their clipboard. Shadow Vector targets Colombian users with SVG images disguised as court summonses containing links to malicious payloads. SideWinder, a South Asian threat actor, continues to exploit old vulnerabilities in document-based attacks on government and defense entities. The report highlights the use of VirusTotal's platform for threat hunting, including content searching, metadata filtering, and YARA rule creation to track these campaigns and uncover their tactics and infrastructure.

External References

https://www.acronis.com/en/tru/posts/acronis-tru-alliance-virustotal-tracking-filefix-shadow-vector-and-sidewinder
https://otx.alienvault.com/pulse/6912121cec3120ad4ee5928c
Tags
yara
CVE-2017-0199
CVE-2017-11882
virustotal
clickfix
south asia
svg
colombia
filefix
2025-11-10
clipboard manipulation
shadow vector
document-based attacks

Date

  • Created: Nov. 10, 2025, 4:26 p.m.
  • Published: Nov. 10, 2025, 4:26 p.m.
  • Modified: Nov. 11, 2025, 6:23 p.m.

Indicators

  • cf23f7b98abddf1b36552b55f874ae1e2199768d7cefb0188af9ee0d9a698107
  • cb035f440f728395cc4237e1ac52114641dc25619705b605713ecefb6fd9e563
  • f3208ae62655435186e560378db58e133a68aa6107948e2a8ec30682983aa503
  • c3319a8863d5e2dc525dfe6669c5b720fc42c96a8dce3bd7f6a0072569933303
  • b5311cadc0bbd2f47549f7fc0895848adb20cc016387cebcd1c29d784779240c
  • b3e8ab81d0a559a373c3fe2ae7c3c99718503411cc13b17cffd1eee2544a787b
  • 6d4a53da259c3c8c0903b1345efcf2fa0d50bc10c3c010a34f86263de466f5a1
  • 9bbbcb6eae33314b84f5e367f90e57f487d6abe72d6067adcb66eba896d7ce33
  • 62544cb1f0b9e6e04433698e85bfb534278b9bdc5f06589c011e9cb80c71df23
  • 60e87c0fe7c3904935bb1604bdb0b0fc0f2919db64f72666b77405c2c1e46067
  • 609edc93e075223c5dc8caaf076bf4e28f81c5c6e4db0eb6f502dda91500aab4
  • 5673ad3287bcc0c8746ab6cab6b5e1b60160f07c7b16c018efa56bffd44b37aa
  • 4cfeab122e0a748c8600ccd14a186292f27a93b5ba74c58dfee838fe28765061
  • 4795d3a3e776baf485d284a9edcf1beef29da42cad8e8261a83e86d35b25cafe
  • 2aae8e206dd068135b16ff87dfbb816053fc247a222aad0d34c9227e6ecf7b5b
  • 1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a
Download all indicators here!

Attack Patterns

  • FileFix
  • ClickFix
  • Sidewinder

Additional Informations

  • Defense
  • Government
  • Colombia
  • Sri Lanka
  • Bangladesh
  • Pakistan

Linked vulnerabilities

CVE-2017-0199

None
Published:

CVE-2017-11882

None
Published: