- The “finger” command remains usable for remote code execution even after years of disuse
- Attackers use batch scripts to pipe server responses directly into Windows command sessions.
- Hidden Python programs are distributed through archives disguised as harmless documents
The Finger command is an old network finder tool originally used to retrieve basic information about remote or local system users in Unix and later in Windows.
It was gradually phased out as modern user authentication and query systems became the norm, but this decade-old threat has apparently quietly resurfaced in malicious operations targeting users who unknowingly execute remote instructions fired via the outdated protocol.
The method relies on retrieving text commands from a remote Finger server and executing them locally via running standard Windows commands.
Old but still dangerous
Interest in this activity resurfaced when a researcher examined a batch script that triggered a finger request through a remote server before routing the response to a live Windows command session.
The referenced server has since stopped responding, although other samples showing similar behavior were later linked to ongoing attacks.
One example involved a person who thought they were completing a human verification step – when in reality they were executing a command connected to a digital address while the output was streamed directly into a command processor session.
Although the server became unresponsive, the previously captured result showed a sequence that created random paths, cloned a system tool, and extracted a compressed archive disguised as a harmless document.
Inside this archive was a Python program launched via pythonw.exe and then contacting a remote server to confirm execution.
An associated batch file suggested that the package contained information-stealing behavior rather than a harmless testing tool.
Another campaign used a similar query template but targeted a different server and offered almost identical automation.
Analysts observed that this version scanned for common reverse engineering tools and monitoring utilities.
It then shut down once detected, implying a level of awareness often seen in organized malicious activity.
If no detection utility was found, the script downloaded a separate compressed file that provided a known remote access tool used for unauthorized control sessions.
This is followed by scheduling a task that launches it every time the user logs in.
These abuses appear to involve a single actor, although accidental victims continue to report similar incidents.
Users are reminded that secure computing now requires updated antivirus systems, reliable malware removal practices, and a properly configured firewall.
It may seem strange that an old search tool still poses risks, but old protocols can still create real entry points when combined with social engineering.
Via a Bleeping computer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
