Cache smuggling: When a picture isn’t a thousand words

This report details a targeted phishing campaign that impersonates a Fortinet VPN compliance checker and leverages a ClickFix-style prompt to paste a hidden command into Windows Explorer; the command runs conhost.exe with a headless PowerShell which copies browser cache files, uses a regex to extract an embedded ZIP (cache smuggling), expands it, and executes a dropped ComplianceChecker executable—bypassing explicit downloads and many detection controls.