EXECUTIVE SUMMARY:
A new evolution of the ClickFix social engineering campaign involving PySoxy has been observed in which attackers extend a single user-executed command into a persistent, multi-stage intrusion. Instead of ending after initial execution, the attack chain establishes long-term access mechanisms and introduces secondary tooling to maintain control over compromised systems. This shift shows ClickFix moving beyond simple credential or payload delivery into a structured post-exploitation framework designed to survive initial detection and blocking attempts.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A new evolution of the ClickFix social engineering campaign involving PySoxy has been observed in which attackers extend a single user-executed command into a persistent, multi-stage intrusion. Instead of ending after initial execution, the attack chain establishes long-term access mechanisms and introduces secondary tooling to maintain control over compromised systems. This shift shows ClickFix moving beyond simple credential or payload delivery into a structured post-exploitation framework designed to survive initial detection and blocking attempts.[emaillocker id="1283"]
The intrusion begins when a victim is tricked into executing a malicious PowerShell command from a compromised or spoofed website. This initial execution triggers a sequence that includes in-memory PowerShell-based command-and-control communication, system reconnaissance, and the creation of scheduled tasks for persistence. The scheduled task repeatedly relaunches malicious scripts from non-standard directories, ensuring continued execution even if the initial session is terminated or network traffic is blocked. After establishing internal awareness through domain and system discovery, the attacker introduces Python-based tooling, specifically a SOCKS5 proxy implementation known as PySoxy. The tool is executed via compiled Python bytecode and configured to establish encrypted outbound communication through proxy parameters, effectively creating a second independent C2 channel. This dual-channel design PowerShell-based access plus Python-based proxying enables redundant control paths and complicates containment efforts, as blocking one channel does not eliminate the other due to local persistence mechanisms.
It highlights a shift in ClickFix operations from simple user-driven execution to resilient intrusion chains that combine native system abuse, scheduled task persistence, and dual-channel command-and-control architecture. The use of both PowerShell and Python-based proxying significantly increases attacker survivability, as blocking one communication channel does not terminate the intrusion. Effective defense therefore requires full incident containment beyond network-level blocking, including removal of persistence mechanisms, staged artifacts, and interpreter-based payloads to fully disrupt attacker access.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Discovery | T1087.001 | Account Discovery | Local Account |
| T1016.001 | System Network Configuration Discovery | Internet Connection Discovery | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1090.003 | Proxy | Multi-hop Proxy |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/clickfix-evolves-with-python-socks5-proxy/
https://reliaquest.com/blog/threat-spotlight-clickfix-evolves-with-pysoxy-proxying/
[/emaillocker]