{
	"id": "c8ae6511-cf24-4196-8f02-251f2f3dd201",
	"created_at": "2026-04-06T00:17:35.893917Z",
	"updated_at": "2026-04-10T03:21:36.616699Z",
	"deleted_at": null,
	"sha1_hash": "f01eb6f6a11185fae8db40443d116b4a263c93c4",
	"title": "Windows Finger command abused by phishing to download malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2767504,
	"plain_text": "Windows Finger command abused by phishing to download malware\r\nBy Lawrence Abrams\r\nPublished: 2021-01-15 · Archived: 2026-04-05 18:42:37 UTC\r\nAttackers are using the normally harmless Windows Finger command to download and install a malicious backdoor on\r\nvictims' devices.\r\nThe 'Finger' command is a utility that originated in Linux/Unix operating systems that allows a local user to retrieve a list of\r\nusers on a remote machine or information about a particular remote user. In addition to Linux, Windows includes a\r\nfinger.exe command that performs the same functionality.\r\nTo execute the Finger command, a user would enter finger [user]@[remote_host]. For example, finger\r\nbleeping@www.bleepingcomputer.com.\r\nhttps://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nIn September, we reported that security researchers discovered a way to use Finger as a LoLBin to download malware from\r\na remote computer or exfiltrate data. LolBins are legitimate programs that can help attackers bypass security controls to\r\nfetch malware without triggering a security alert on the system.\r\nFinger used in an active malware campaign\r\nThis week, security researcher Kirk Sayre found a phishing campaign utilizing the Finger command to download the\r\nMineBridge backdoor malware.\r\nFireEye first reported on the MineBridge malware after discovering numerous phishing campaigns targeting South Korean\r\norganizations. These phishing emails contain malicious Word documents disguised as job applicant resumes that install the\r\nMineBridge malware.\r\nMineBridge phishing email\r\nSource: FireEye\r\nLike the previous MineBridge campaigns seen by FireEye, the one discovered by Sayre also pretends to be a resume from a\r\njob applicant, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/\r\nPage 3 of 6\n\nMalicious MineBridge word document\r\nSource: BleepingComputer\r\nWhen a victim clicks on the 'Enabled Editing' or 'Enable Content' buttons, a password protected macro will be executed to\r\ndownload the MineBridge malware and run it.\r\nBleepingComputer was able to bypass the password-protection on the Word macro, which is shown below in its obfuscated\r\nform.\r\nObfuscated malicious Word Macro\r\nSource: BleepingComputer\r\nThe deobfuscated command executed by the macro, shown below, uses the finger command to download a Base64 encoded\r\ncertificate from a remote server and saves it as %AppData%\\vUCooUr.\r\nhttps://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/\r\nPage 4 of 6\n\nDeobfuscated command executed by the macro\r\nSource: BleepingComputer\r\nThe certificate retrieved via the finger command is a base64 encoded malware downloader malware executable. This\r\ncertificate is decoded using the certutil.exe command, saved as %AppData%\\vUCooUr.exe, and then executed.\r\nBase64 encoded malware disguised as a certificate\r\nSource: BleepingComputer\r\nOnce executed, the downloader will download a TeamViewer executable and use DLL hijacking to sideload a malicious\r\nDLL, the MineBridge malware.\r\nOnce MineBridge is loaded, the remote threat actors will gain full access to the computer and allow them to listen in via the\r\ninfected device's microphone, and perform other malicious activities.\r\n\"Collectively, the two C2 methods support commands for downloading and executing payloads, downloading arbitrary files,\r\nself-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands,\r\nprocess elevation, turning on/off TeamViewer's microphone, and gathering system UAC information,\" FireEye explains in\r\ntheir report.\r\nAs Finger is rarely used today, it is suggested that administrators block the Finger command on their network, whether\r\nthrough AppLocker or other methods.\r\nhttps://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/\r\nhttps://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/"
	],
	"report_names": [
		"windows-finger-command-abused-by-phishing-to-download-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434655,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f01eb6f6a11185fae8db40443d116b4a263c93c4.pdf",
		"text": "https://archive.orkl.eu/f01eb6f6a11185fae8db40443d116b4a263c93c4.txt",
		"img": "https://archive.orkl.eu/f01eb6f6a11185fae8db40443d116b4a263c93c4.jpg"
	}
}