Find notable cyber news and cases, enriched with sources, timelines, and signals.

ClickFix Finger protocol campaign targeting Windows devices

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A ClickFix campaign is abusing the Finger protocol to retrieve and execute remote commands on Windows devices, turning a legacy command into a malware-delivery path. The chain uses fake verification prompts and `finger ... | cmd`-style execution to stage payloads such as a Python malware package and NetSupport Manager RAT. The activity matters because it combines social engineering, remote command execution, and persistence in a way that can quickly compromise user systems.

Related Happenings

ClickFix mitigation guidance for Windows and macOS

Defensive Guidance
H score34 First: 30.06.2026 15:00 Last: 30.06.2026 15:00 Sources 1

About this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
H score30 First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
H score29 First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

ClickFix Windows Terminal Lumma Stealer campaign

Campaign
H score35 First: 06.03.2026 08:44 Last: 06.03.2026 08:44 Sources 1

About this happening: A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...

ClickFix DNS-based nslookup staging campaign

Campaign
H score35 First: 15.02.2026 16:10 Last: 15.02.2026 16:10 Sources 1

About this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...

Timeline

  1. 15.11.2025 20:46 2 articles · 7mo ago

    ClickFix Finger protocol abuse on Windows

    Initial Disclosure

    Researchers described a ClickFix campaign abusing the Finger protocol on Windows devices, using commands such as `finger ... | cmd` to fetch remote instructions, download a zip archive disguised as a PDF, extract either a Python malware package or the NetSupport Manager RAT, and create a scheduled task for persistence; defenders are advised to block outbound TCP port 79.

    Show sources