Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/Threats/ClickFix uses a decade-old SOCKS5 proxy, raising security concerns
Threats

ClickFix uses a decade-old SOCKS5 proxy, raising security concerns

Key Takeaways The “ClickFix” attack campaign has evolved, now integrating a decade-old Python SOCKS5 proxy tool, PySoxy, to establish persistent and resilient access to compromised...

Sarah simpson
Sarah simpson
May 13, 2026 4 Min Read
50 0

Key Takeaways

  • The “ClickFix” attack campaign has evolved, now integrating a decade-old Python SOCKS5 proxy tool, PySoxy, to establish persistent and resilient access to compromised systems.
  • Initial compromise still relies on social engineering to trick users into executing a PowerShell command, but the new methodology creates multiple, redundant access channels.
  • Security researchers at ReliaQuest observed this enhanced technique in April 2026, noting its ability to survive even after initial outbound connections are blocked.
  • The attack chain now establishes a persistent foothold through scheduled tasks and leverages PySoxy for a secondary, distinct communication pathway, making detection and remediation more challenging.

The “ClickFix” cyberattack campaign, known for leveraging social engineering to trick users into executing malicious commands, has adopted a significant new tactic. Recent analysis reveals attackers are now incorporating PySoxy, an open-source Python SOCKS5 proxy tool first released approximately ten years ago, into their operations. This integration creates a more robust and resilient intrusion method, allowing the compromise to persist even after initial security measures are enacted.

Table Of Content

  • Key Takeaways
  • The Evolving Attack Chain
  • ClickFix Deploys PySoxy for Resilient Access
  • What You Should Do

What was previously considered a straightforward user error has morphed into a sophisticated, multi-layered intrusion. This evolved ClickFix technique can maintain access to a system long after security tools attempt to block its initial communication channels, fundamentally changing the threat landscape for affected organizations, as detailed in a recent report.

The Evolving Attack Chain

The attack sequence begins conventionally: a user visits a malicious or compromised website that displays a fabricated prompt, coercing them into pasting and executing a PowerShell command on their local machine. This social engineering tactic is well-documented and has been a staple in numerous prior campaigns.

However, the critical divergence in this updated ClickFix campaign occurs immediately after the initial PowerShell command executes. Instead of a single, ephemeral callback, the malicious script establishes automated, enduring access, ensuring persistence beyond the initial user interaction.

Security researchers at ReliaQuest first identified this advanced campaign in April 2026. Their findings mark the inaugural instance where ClickFix execution has been observed in conjunction with PySoxy. The analysts characterized the outcome as a “durable access chain,” emphasizing its ability to re-execute repeatedly, even when outbound connections from the compromised host were intercepted and blocked by security controls. This persistence mechanism highlights a substantial shift in the threat’s behavior and its potential impact.

ClickFix Deploys PySoxy for Resilient Access

A crucial lesson from this campaign is that simply blocking an attacker’s network connection does not equate to ending the compromise. In the incident analyzed, endpoint security measures successfully severed both of the attacker’s initial access channels. Despite this, a pre-planted scheduled task on the compromised machine continued to attempt relaunching the malicious script for several hours.

This persistence mechanism effectively transformed a singular user mistake into an ongoing, active compromise. Experts suggest that ransomware affiliates may increasingly adopt ClickFix as a primary entry vector, alongside other established access methods. The operational parallels between this new ClickFix chain and “SocGholish” intrusions, which also utilize social engineering followed by reconnaissance and proxy-based access, indicate that ClickFix is maturing into a formidable pre-ransomware delivery platform.

Once the initial PowerShell command was executed, the attackers rapidly moved to solidify their foothold. They deployed a scheduled task designed to relaunch a staged script from the C:ProgramData folder approximately every 40 minutes. This script functioned as a lightweight remote access tool (RAT), periodically polling the attacker’s command-and-control (C2) server every three seconds to receive and execute commands on the compromised host, then transmitting the results back.

Following the establishment of PowerShell-based access, the attackers proceeded with reconnaissance, utilizing built-in Windows tools to enumerate group memberships, identify domain controllers, and map other systems within the network. Only after confirming connectivity to a staging server did the attackers introduce PySoxy. They downloaded compiled Python bytecode and executed it with proxy arguments directing traffic to a distinct external IP address.

The deployment of PySoxy provided the attacker with a secondary, independent channel back into the host. This new pathway leveraged different infrastructure and exhibited distinct traffic patterns compared to the initial PowerShell C2. Consequently, even a complete shutdown of the PowerShell connection would leave this secondary access route open, demonstrating the attacker’s strategy of establishing redundant access within the environment.

What You Should Do

  • Isolate Affected Hosts Immediately: Any system suspected of a ClickFix compromise should be fully isolated from the network to prevent lateral movement and further data exfiltration.
  • Review Scheduled Tasks: Conduct a thorough audit of all scheduled tasks, paying close attention to any created around the time of suspicious PowerShell activity. Prioritize investigation of tasks pointing to scripts in non-standard directories like C:ProgramData.
  • Monitor for Python Execution with Proxy Arguments: Implement monitoring for Python execution, especially when associated with command-line arguments such as -ssl, -remote_ip, and -remote_port, which are indicative of PySoxy usage.
  • Scan for Malicious Files: Search for compiled .pyc files and staged scripts in unexpected locations. Ensure all components of the attack, including Python runtimes and bytecode files, are identified and removed, not just network connections.
  • Enhance User Training: Reinforce security awareness training to educate users about social engineering tactics, the dangers of executing unknown commands, and how to identify suspicious prompts.
  • Implement Endpoint Detection and Response (EDR): Utilize EDR solutions to detect and respond to suspicious process execution, scheduled task creation, and unusual network connections that may signal a ClickFix compromise.

Indicators of Compromise (IoCs):-

Type Indicator Description
IP Address 185.205.211[.]217 ClickFix Infrastructure IP report
IP Address 206.206.103[.]120 PowerShell RAT C2 <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/f3e5987e-b170-4c46-bf3b-2386f4016d3b/ClickFix-Evolves-with-10-Year-Old-Open-Source-Python-SOCKS5-Prox.pdf?AWSAccessKeyId=ASIA2F3EMEYEZOG57RMJ&Signature=JekXMFqAtlWZ3KYGJe8R0%2BVjaVo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEHsaCXVzLWVhc3QtMSJGMEQCIE4XrMI7%2FCJuQe01QbX3eVJT4TqsL%2BdaWbE1uBKx%2Fph%2BAiATS9jgcnDU3M5u6rXvpMM5POKCQJwGnsExs8lmfe6XZyrzBAhEEAEaDDY5OTc1MzMwOTcwNSIMFQx7ion%2FKqYnzbdTKtAEsz3xOVOZQ3ATtDQAUM68s9QVWFIe8bG7wBKUXYyX7s%2Fo0rtl0XlSTmzy%2Bl8Q4CecbPoUIJutvvN1ur12Pl2b9CSFiZule42c%2FSt%2BXzv56CWV457SSgexx1u%2F7L3CSV%2F7KMbWe5oI4ND1riouydc8uYfG7AgH5r1I5KNk3hK8XRjoXRo5INlymeqRlxVz6kPTsX6T9HiszlBWQIbUxi%2FH9hcNRVwLumIjEPlYmvPmFIv2HoyOR%2BLoKJpJWtaM1gpdM5H96n3LEu0TbKHAc4jdAdooc7AscF9UtlJRuSWb%2Fha25SrPySRLp6o5GjAL%2FBYN2qdNwULxJ0VyldvRQtKGA2UXkEnkODwdU0LuxIJOvxpp1o1auKDybjslqm4SadktCY1zYebRHJNT92zYmj2%2BjKWiCUVnk0Q2NxRUtWwFEvICYPLFCxest%2F9U0yUbaFjOIxSVXOs2TsHsX38vHUPI%2FGy755%2BoM5V64hwnLyQcG9flhOh0SHuLq2%2BLMQzcTemvQK%2FklcNb5zBb4NGA5U%2FhsWhAsujQZjv5mWUPccaxOrmtmlOkaSo8%2F0cKuIVK6Y7AIPkBz%2B8RgqAwef5TP7uUWsl0l9eN6JReDR11kRiQVZXkjjqoqM8O2xCPhVpCCJ4TVBeS3AuVxquuebfLLjy7Z49WI5ffXuemAulAgMkzjZNbBjFwt%2BzEcMzLdCiTVpV9Mf6Gv%2BDdWIpMJPandPqoWfQsq%2BHQRqjQBetyhreSeQA3NOKjVMGooqb%2BhGGVcihPxyk%2FwWUn4P1MCtycBj0yXTCnqJHQBjqZAaTAwXWwSG4D0O648YttDPfj16Po82vYRie0kC9qzd2

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackransomwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical SandboxJS Vulnerability Lets Attackers Take Over Hosts

Next Post

Foxconn Confirms Cyberattack After Nitrogen Ransomware Claim

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us