ClickFix Finger protocol campaign targeting Windows devices
Campaign
Summary
Hide ▲
Show ▼
A ClickFix campaign is abusing the Finger protocol to retrieve and execute remote commands on Windows devices, turning a legacy command into a malware-delivery path. The chain uses fake verification prompts and `finger ... | cmd`-style execution to stage payloads such as a Python malware package and NetSupport Manager RAT. The activity matters because it combines social engineering, remote command execution, and persistence in a way that can quickly compromise user systems.
Related Happenings
ClickFix mitigation guidance for Windows and macOS
Defensive Guidance
H score34
First: 30.06.2026 15:00
Last: 30.06.2026 15:00
Sources 1
About this happening:
Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
ClickFix mitigation guidance for Windows and macOS
Defensive GuidanceAbout this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
H score30
First: 09.04.2026 14:20
Last: 09.04.2026 14:20
Sources 1
About this happening:
A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware ActivityAbout this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
H score29
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
ClickFix Windows Terminal Lumma Stealer campaign
Campaign
H score35
First: 06.03.2026 08:44
Last: 06.03.2026 08:44
Sources 1
About this happening:
A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...
ClickFix Windows Terminal Lumma Stealer campaign
CampaignAbout this happening: A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...
ClickFix DNS-based nslookup staging campaign
Campaign
H score35
First: 15.02.2026 16:10
Last: 15.02.2026 16:10
Sources 1
About this happening:
The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
ClickFix DNS-based nslookup staging campaign
CampaignAbout this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
Timeline
-
15.11.2025 20:46 2 articles · 7mo ago
ClickFix Finger protocol abuse on Windows
Initial DisclosureResearchers described a ClickFix campaign abusing the Finger protocol on Windows devices, using commands such as `finger ... | cmd` to fetch remote instructions, download a zip archive disguised as a PDF, extract either a Python malware package or the NetSupport Manager RAT, and create a scheduled task for persistence; defenders are advised to block outbound TCP port 79.
Show sources
- Decades-old ‘Finger’ protocol abused in ClickFix malware attacks — www.bleepingcomputer.com — 15.11.2025 20:46
- Decades-old ‘Finger’ protocol abused in ClickFix malware attacks — www.bleepingcomputer.com — 15.11.2025 20:46