Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix

calendar Apr 28, 2026 · attack.execution attack.stealth attack.t1204.004 attack.t1027.010  ·
Share on: linkedin copy

Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.

Sigma rule (View on GitHub)

 1title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
 2id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
 3related:
 4    - id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
 5      type: similar
 6    - id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
 7      type: similar
 8status: experimental
 9description: |
10    Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
11    ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
12    The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.    
13references:
14    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
15    - https://mrd0x.com/filefix-clickfix-alternative/
16author: Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2025-11-04
18modified: 2025-11-26
19tags:
20    - attack.execution
21    - attack.stealth
22    - attack.t1204.004
23    - attack.t1027.010
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection_explorer:
29        ParentImage|endswith: '\explorer.exe'
30        CommandLine|contains: '#'
31    selection_space_variation:
32        CommandLine|contains:
33            - '            ' # En Quad (U+2000)
34            - '            ' # Em Quad (U+2001)
35            - '            ' # En Space (U+2002)
36            - '            ' # Em Space (U+2003)
37            - '            ' # Three-Per-Em Space (U+2004)
38            - '            ' # Four-Per-Em Space (U+2005)
39            - '            ' # Six-Per-Em Space (U+2006)
40            - '            ' # Figure Space (U+2007)
41            - '            ' # Punctuation Space (U+2008)
42            - '            ' # Thin Space (U+2009)
43            - '            ' # Hair Space (U+200A)
44            - '            ' # No-Break Space (U+00A0)
45            - '            ' # Normal space (0x20)
46    condition: all of selection_*
47falsepositives:
48    - Unknown
49level: high

References

Related rules

to-top