ClickFix, a one-shot social engineering technique that tricks victims into executing malicious workflows disguised as fixes to technical issues in their systems, has got a persistence upgrade.
In a one-off instance, ReliaQuest researchers have spotted an intrusion chain using scheduled tasks, PowerShell-based command-and-control (C2), and a unique abuse of the decade-old open-source proxy tool PySoxy.
As the researchers pointed out in a blog post, PySoxy is giving attackers encrypted proxy access without relying on well-known malware or remote monitoring and management (RMM) tools. The observed attack chain established an initial PowerShell-based C2 channel, followed by a second C2 path through PySoxy.
The campaign was observed in April. ReliaQuest said this was the first time it had seen ClickFix combined with PySoxy in active intrusions.
PySoxy used for dual-channel persistence
The attack started with a ClickFix lure that tricked the victim into manually pasting and executing a malicious command disguised as a fix to a technical issue. Once launched, the command initiated a multi-stage infection chain.
According to ReliaQuest, the execution flow established persistence through scheduled tasks, carried out domain reconnaissance, and opened an initial PowerShell-based C2 channel back to the attackers. The chain then deployed PyProxy to create a second encrypted communication path that turns the infected endpoint into a proxy relay.
“After staging reconnaissance output locally and uploading it to separate attacker-controlled infrastructure, the attacker downloaded Python tooling to C:ProgramData,” the researchers said. “The compiled bytecode file was then executed with Python and identified as PySoxy. This turned the intrusion from a PowerShell-led access chain into one with redundant access paths.”
Researchers noted that the use of a second foothold, proxying through PySoxy, allows the intrusion to go on even after the PowerShell C2 connection is blocked.
ClickFix drifts into post-exploitation
ReliaQuest pointed to the evidence that ClickFix is no longer just a social engineering delivery mechanism. It is being increasingly used as a gateway into broader post-exploitation operations involving stealth, persistence, and trusted-tool abuse.
Earlier this year, the cybersecurity technology company reported that ClickFix accounted for a large share of observed incidents and defense evasion activities in late 2025 and early 2026, with attackers relying on obfuscated commands and hidden execution chains.
The use of PySoxy marks ClickFix shifting to older legitimate tooling with modular access techniques. By orchestrating multiple communication paths within the chain, the attackers are forcing defenders to expand containment efforts.
“Looking ahead, we expect ClickFix operators to continue experimenting with post-exploitation tooling beyond PowerShell,” the researchers said. “Python is one option, but the underlying logic, using whatever scripting runtime is available to stage proxy or C2 capability without dropping a traditional payload, applies equally to other interpreters.”
Hunting clues include scheduled tasks and Python artifacts
In the ReliaQuest observed chain, scheduled tasks repeatedly relaunched malicious activity after communication attempts failed. ReliaQuest said defenders should specifically investigate recurring scheduled task creation alongside unusual Python-related artifacts and proxy-style command-line activity.
Recommendations for incident responders included isolating affected hosts, reviewing scheduled tasks for suspicious re-execution patterns, and hunting for encrypted proxy behavior in Python processes instead of focusing solely on blocked C2 traffic.
“Hunt for command lines containing combinations such as -ssl, -remote_ip, -remote_port, SOCKS, or .pyc execution,” the researchers said, adding that these are high-value signals for PySoxy-style activity.
No Responses