- The “finger” command remains exploitable for remote code execution even after years of disuse
- Attackers use batch scripts to channel server responses directly into Windows command sessions
- Hidden Python programs are delivered through archives disguised as harmless documents
The finger command is an old network lookup tool originally used to fetch basic information about remote or local system users on Unix and later on Windows.
It was gradually abandoned as modern authentication and user query systems became standard, but this decade-old threat has now apparently quietly resurfaced in malicious operations targeting users who unknowingly execute remote instructions pulled through the outdated protocol.
The method relies on retrieving text-based commands from a remote finger server and running them locally through standard Windows command execution.
Old but still dangerous
Interest in this activity resurfaced when a researcher examined a batch script that triggered a finger request through a remote server before routing the response into a live Windows command session.
The referenced server has since stopped responding, although additional samples showing similar behaviour were later linked to ongoing attacks.
One example involved a person who thought they were completing a human verification step – when actually they executed a command that connected to a finger address while the output streamed directly into a command processor session.
Although the server no longer responds, the previously captured result showed a sequence that created random paths, cloned a system tool, and extracted a compressed archive disguised as a harmless document.
Inside that archive was a Python program that launched through pythonw.exe and later contacted a remote server to confirm execution.
A related batch file suggested the package contained information-stealing behaviour rather than a harmless test tool.
Another campaign used a similar request pattern but targeted a different server and delivered almost identical automation.
Analysts observed that this version scanned for common reverse engineering tools and monitoring utilities.
It then exited when detected, which implies a level of awareness often seen in staged malware activity.
If no detection utilities were found, the script downloaded a separate compressed file that delivered a known remote access tool used for unauthorised control sessions.
This is followed by scheduling a task that launches it every time the user logs in.
This abuse appears to involve one actor, though accidental victims continue to report similar incidents.
People are reminded that safe computing now requires updated antivirus systems, reliable malware removal practices, and a properly configured firewall.
It may sound strange that a legacy lookup tool still poses risk, but older protocols can still create real entry points when combined with social engineering.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
