ClickFix Evolves with 10-Year-Old Open-Source Python SOCKS5 Proxy

A cyberattack campaign that tricks users into running malicious commands on their own computers has taken a dangerous new turn. The technique, known as “ClickFix,” has been circulating for some time, but a recent incident revealed that attackers are now pairing it with a 10-year-old open-source Python tool to create a far more resilient form of access.

What was once treated as a simple user mistake is now evolving into a complex multi-layered intrusion that can survive even after security tools step in to block it.

The attack begins when a user visits a compromised website that presents a fake prompt, convincing the visitor to paste and run a PowerShell command on their own machine. This well-known social engineering trick has been used in many previous campaigns before.

What makes this version different is what happens after that single command runs. Rather than stopping at one callback, the intrusion sets up automated access that continues long after the initial click.

Security researchers at ReliaQuest identified this updated campaign in April 2026, noting that it marked the first observed case where ClickFix execution was combined with PySoxy, a Python-based SOCKS5 proxy tool originally published roughly a decade ago.

The analysts described the result as a “durable access chain,” one that continued re-executing even after outbound connections were blocked by security controls. That detail alone signals a meaningful shift in how this threat behaves.

ClickFix Deploys PySoxy

The central lesson here is one that defenders often overlook: blocking an attacker’s connection does not mean the attack is over. In the incident studied, both of the attacker’s access channels were cut off by endpoint controls, yet a scheduled task already on the affected machine kept attempting to relaunch the malicious script for hours.

This persistence mechanism transformed a single user mistake into an ongoing compromise.

The operational similarities between this chain and SocGholish intrusions, which also rely on social engineering before moving into reconnaissance and proxy-based access, suggest ClickFix is maturing into a serious pre-ransomware delivery platform.

Once the initial PowerShell command ran, the attacker moved quickly to build a deeper foothold. A scheduled task was planted that relaunched a staged script from the C:ProgramData folder roughly every 40 minutes. That script functioned as a lightweight remote access tool, polling the attacker’s server every three seconds, executing commands on the host, and sending back results.

After establishing this PowerShell-based access, the attacker moved into reconnaissance. Built-in Windows tools were used to enumerate group memberships, identify domain controllers, and map other machines on the network. Only after confirming that a staging server could be reached did the attacker introduce PySoxy, downloading compiled Python bytecode and running it with proxy arguments pointing to a separate external IP address.

PySoxy gave the attacker a second, independent route back into the host. This second channel used different infrastructure and a different traffic pattern than the first, meaning that a complete shutdown of the PowerShell C2 connection would still leave this second door open. The attacker had built two separate access paths into the same environment.

Why a Blocked Callback Is Not Enough

The most important takeaway from this campaign is that containment requires more than blocking a single connection. Analysts recommend fully isolating the affected host and reviewing all scheduled tasks, particularly those created shortly after suspicious PowerShell activity. Any tasks pointing to scripts in non-standard directories like ProgramData should be treated as high-priority findings.

Incident responders should look for Python execution tied to proxy-style command-line arguments, specifically flags like -ssl, -remote_ip, and -remote_port, as well as compiled .pyc files in unexpected locations. Removing staged scripts, Python runtimes, and bytecode files is just as critical as blocking the network connection, because any leftover component can restart the chain. Treating a ClickFix incident as a potential full compromise rather than an isolated user error is now the only appropriate response.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
IP Address	185.205.211[.]217	ClickFix Infrastructure IP
IP Address	206.206.103[.]120	PowerShell RAT C2
IP Address	206.206.103[.]106	Staging and Exfiltration IP
IP Address	167.99.158[.]97	PySoxy Proxy Destination IP
Domain	strapness[.]com	ClickFix Stager Domain
Domain	abledom[.]net	Secondary C2 Domain
Domain	overlateise[.]com	Hosted the ClickFix script (/api/jquery[.]js) injected into the compromised site

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.