ClickFix Attackers Get Creative: Finger Protocol Exploitation in Ongoing Social Engineering Campaigns (2025)
Executive Summary
In December 2025, ongoing ClickFix social engineering campaigns, notably KongTuke and SmartApeSG, exploited the legacy finger protocol to deliver malicious payloads to Windows hosts. Attackers enticed users to interact with fake CAPTCHA pages, triggering finger.exe commands that retrieved further instructions—such as encoded PowerShell commands or direct downloads of malware—from attacker-controlled servers over TCP port 79. These techniques allowed adversaries to bypass conventional detection and deliver remote access tools or additional scripts, posing operational threats to unprotected enterprise environments.
This campaign highlights the resurgence of creative use of legacy or overlooked network protocols in modern attack chains. The persistence of ClickFix-driven social engineering and the reuse of finger.exe underline the importance for organizations to reassess traffic filtering strategies, as attackers are diversifying their initial access and payload delivery vectors.
Why This Matters Now
As adversaries increasingly exploit neglected network protocols and combine them with convincing social engineering, enterprises may be blindsided if their security controls only cover mainstream attack vectors. Immediate review and blocking of legacy services like finger.exe are essential to mitigate evolving risks.
Attack Path Analysis
Attackers used social engineering to lure victims into running a malicious ClickFix script from fake CAPTCHA pages, causing execution of finger.exe and retrieval of encoded payloads. After initial execution, downloaded scripts could run with the user's privileges, potentially escalating access on local or networked systems. With established presence, attackers may attempt lateral movement or drop further payloads across internal resources. The malicious script establishes command and control by retrieving instructions via C2 servers over non-standard ports such as TCP 79. Data exfiltration or continued C2 communication may occur covertly through outbound connections. Ultimately, the attacker could achieve impact by deploying further malware, stealing data, or conducting disruptive actions.
Kill Chain Progression
Initial Compromise
Description
Victim is tricked into executing a ClickFix script from a fake CAPTCHA page, causing their system to run finger.exe to contact an attacker-controlled server and fetch a PowerShell or code payload.
Related CVEs
CVE-1999-0612
CVSS 5A version of finger is running that exposes valid user information to any entity on the network.
Affected Products:
Microsoft Windows NT – All versions
Microsoft Windows 2000 – All versions
GNU Finger Service – All versions
GNU Fingerd – All versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
User Execution: Malicious File
Phishing: Spearphishing via Service
Ingress Tool Transfer
Command and Scripting Interpreter: PowerShell
Exfiltration Over C2 Channel
Application Layer Protocol: Web Protocols
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Configure system components to minimize protocols in use
Control ID: 2.2.4
PCI DSS 4.0 – Implement automated audit trails for all systems
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management - Protection Measures
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Network Segmentation and Protocol Enforcement
Control ID: Network: Least Privilege
NIS2 Directive – Risk Analysis and Information System Security Policies
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
ClickFix social engineering attacks bypass traditional security controls, exploiting finger protocol vulnerabilities that could compromise financial data and regulatory compliance requirements.
Health Care / Life Sciences
Finger protocol exploitation in ClickFix campaigns threatens HIPAA compliance and patient data security through unencrypted traffic and lateral movement capabilities.
Government Administration
Social engineering attacks using finger protocol pose critical risks to government networks, potentially enabling data exfiltration and compromising sensitive administrative systems.
Information Technology/IT
IT organizations face direct exposure to ClickFix attacks through finger protocol abuse, requiring enhanced egress filtering and threat detection capabilities.
Sources
- ClickFix Attacks Still Using the Finger, (Sat, Dec 13th)https://isc.sans.edu/diary/rss/32566Verified
- ClickFix campaign leverages finger.exe to trick users into running malicious commandshttps://cyberpress.org/clickfix-campaign/Verified
- New Clickfix Attack Exploits finger.exe Tool to Trick Users into Execute Malicious Codehttps://cybersecuritynews.com/new-clickfix-attack-exploits-finger-exe-tool/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network segmentation, egress restrictions, real-time traffic inspection, and threat detection provided by CNSF-aligned controls would have significantly reduced or prevented the attack at key stages—including blocking finger protocol egress, denying lateral movement, and flagging anomalous communications.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound TCP 79 (finger protocol) traffic is blocked, preventing malicious server contact.
Control: Zero Trust Segmentation
Mitigation: Restricts privilege boundaries and limits unauthorized escalation activities within the cloud environment.
Control: East-West Traffic Security
Mitigation: Blocks anomalous or unauthorized workload-to-workload and service-to-service communications.
Control: Cloud Firewall (ACF) & Inline IPS (Suricata)
Mitigation: Detects and blocks known malicious protocols and signatures used for C2 traffic.
Control: Multicloud Visibility & Control
Mitigation: Monitors, detects, and restricts suspicious outbound data flows.
Alerts security teams to suspicious automation or impact attempts, enabling faster incident triage.
Impact at a Glance
Affected Business Functions
- User Authentication
- Web Browsing
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of user credentials and personal information due to unauthorized execution of malicious code.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce egress controls to block unauthorized protocols such as finger and restrict outbound internet access by default.
- • Deploy east-west segmentation and granular workload policies to prevent lateral movement following initial compromise.
- • Integrate cloud firewalls and inline IPS to detect and proactively block known C2 protocols and malicious signatures.
- • Establish centralized, real-time visibility and anomaly detection across all cloud and hybrid environments.
- • Continuously update zero trust segmentation and egress filtering rules to address evolving social engineering and supply chain threats.
