Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ClickFix Finger protocol campaign targeting Windows devices

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A ClickFix campaign is abusing the Finger protocol to retrieve and execute remote commands on Windows devices, turning a legacy command into a malware-delivery path. The chain uses fake verification prompts and `finger ... | cmd`-style execution to stage payloads such as a Python malware package and NetSupport Manager RAT. The activity matters because it combines social engineering, remote command execution, and persistence in a way that can quickly compromise user systems.

Related Happenings

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

ClickFix Windows Terminal Lumma Stealer campaign

Campaign
First: 06.03.2026 08:44 Last: 06.03.2026 08:44 Sources 1

About this happening: A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...

Open Happening

ClickFix DNS-based nslookup staging campaign

Campaign
First: 15.02.2026 16:10 Last: 15.02.2026 16:10 Sources 1

About this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...

Open Happening

LummaStealer infection surge via CastleLoader

Malware Activity
First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Open Happening

APT36 / SideCopy phishing-led campaign targeting Indian defense organizations

Campaign
First: 11.02.2026 16:52 Last: 11.02.2026 16:52 Sources 1

About this happening: A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...

Open Happening

Timeline

  1. 15.11.2025 20:46 2 articles · 6mo ago

    ClickFix Finger protocol abuse on Windows

    Initial Disclosure

    Researchers described a ClickFix campaign abusing the Finger protocol on Windows devices, using commands such as `finger ... | cmd` to fetch remote instructions, download a zip archive disguised as a PDF, extract either a Python malware package or the NetSupport Manager RAT, and create a scheduled task for persistence; defenders are advised to block outbound TCP port 79.

    Show sources
    Open in new tab