Introduction<\/strong><\/em><\/p>\n Since as early as November 2025, the finger<\/a> protocol has been used in ClickFix<\/a> social engineering attacks. BleepingComputer posted a report of this activity on November 15th<\/a>, and Didier Stevens posted a short follow-up in an ISC diary<\/a> the next day.<\/p>\n I often investigate two campaigns that employ ClickFix attacks: KongTuke<\/a> and SmartApeSG<\/a>. When I checked earlier this week on Thursday, December 11th, both campaigns used commands that ran finger.exe<\/span> in Windows to retrieve malicious content.<\/p>\n So after nearly a month, ClickFix attacks are still giving us the finger.<\/p>\n KongTuke Example<\/strong><\/em><\/p>\n My investigation of KongTuke activity on December 11th revealed a command for finger gcaptcha@captchaver[.]top<\/span> from the fake CAPTCHA page.<\/p>\n I recorded network traffic generated by running this ClickFix script, and I used the finger<\/span> filter in Wireshark to find finger traffic over TCP port 79.<\/p>\n Following the TCP stream of this traffic revealed text returned from the server. The result was a powershell<\/span> command with Base64 encoded text.<\/p>\n SmartApeSG Example<\/strong><\/em><\/p>\n My investigation of SmartApeSG activity on December 11th revealed a command for finger Galo@91.193.19[.]108<\/span> from the fake CAPTCHA page.<\/p>\n I recorded network traffic generated by running this ClickFix script, and I used the finger<\/span> filter in Wireshark to find finger traffic over TCP port 79.<\/p>\n Following the TCP stream of this traffic revealed text returned from the server. The result was a script to retrieve content from pmidpils[.]com\/yhb.jpg<\/span> then save and run that content on the user’s Windows host.<\/p>\n Final Words<\/strong><\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-12-13-ISC-Diary-image-01b.png?ssl=1\")
<\/a>
\nShown above: ClickFix attacks running finger.exe<\/span>.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-12-13-ISC-Diary-image-04.png?ssl=1\")
<\/a>
\nShown above: Example of fake CAPTCHA page from the KongTuke campaign on December 11th, 2025.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-12-13-ISC-Diary-image-11.png?ssl=1\")
<\/a>
\nShown above: Finding finger traffic using the finger<\/span> filter in Wireshark.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-12-13-ISC-Diary-image-06.png?ssl=1\")
<\/a>
\nShown above: Text returned from the server in response to the finger<\/span> command.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-12-13-ISC-Diary-image-03.png?ssl=1\")
<\/a>
\nShown above: Example of fake CAPTCHA page from the SmartApeSG campaign on December 11th, 2025.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-12-13-ISC-Diary-image-10a.png?ssl=1\")
<\/a>
\nShown above: Finding finger traffic using the finger<\/span> filter in Wireshark.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2025-12-13-ISC-Diary-image-05.png?ssl=1\")
<\/a>
\nShown above: Text returned from the server in response to the finger<\/span> command.<\/em><\/p>\n