⚠️ Security Warning

ClickFix lures can lead to malware and computer viruses. If you see text like this online, it's likely a scam.

Back to Techniques

finger.exe

finger.exe is a Windows utility for querying user information via the Finger protocol. In January 2026, the KongTuke threat actor introduced "CrashFix" - a variant where a malicious Chrome extension ("NexShield", impersonating uBlock Origin Lite) intentionally crashes the browser, then displays a fake "browser stopped abnormally" error. The fix command copies finger.exe to the temp directory, renames it (e.g., to ct.exe), and uses it to connect to an attacker C2 server. The C2 response is piped directly to cmd.exe for execution. The final payload is ModeloRAT, a Python RAT that specifically targets domain-joined hosts.

windows cli CLI

CrashFix - Browser Crash Recovery

Try Example
CLI

Your browser has stopped abnormally. To recover your session and tabs, please follow the recovery steps below.

  1. Press Win-R on your keyboard

  2. Press Ctrl-V to paste the recovery command

  3. Press Enter to recover your browser session

References:

Mitigations:

  • Monitor for finger.exe being copied or renamed

  • Alert on finger.exe connecting to external IP addresses

  • Block finger.exe execution via AppLocker or WDAC

  • Monitor for suspicious Chrome extensions requesting broad permissions

  • Alert on Python runtime downloads (portable Python ZIPs)

Contributor: Michael Haag (2026-03-14)