{"id":8137,"date":"2026-05-13T11:42:30","date_gmt":"2026-05-13T11:42:30","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8137"},"modified":"2026-05-13T11:42:30","modified_gmt":"2026-05-13T11:42:30","slug":"clickfix-finds-a-backup-plan-in-pysoxy-proxy-chains","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8137","title":{"rendered":"ClickFix finds a backup plan in PySoxy proxy chains"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>ClickFix, a one-shot social engineering <a href=\"https:\/\/www.csoonline.com\/article\/4156500\/new-clickfix-variant-bypasses-apple-safeguards-with-one%E2%80%91click-script-execution.html\" target=\"_blank\" rel=\"noopener\">technique<\/a> that tricks victims into executing malicious workflows disguised as fixes to technical issues in their systems, has got a persistence upgrade.<\/p>\n<p>In a one-off instance, ReliaQuest researchers have spotted an intrusion chain using scheduled tasks, PowerShell-based command-and-control (C2), and a unique abuse of the decade-old open-source proxy tool <a href=\"https:\/\/github.com\/MisterDaneel\/pysoxy\/\" target=\"_blank\" rel=\"noopener\">PySoxy<\/a>.<\/p>\n<p>As the researchers pointed out in a blog <a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-clickfix-evolves-with-pysoxy-proxying\/\" target=\"_blank\" rel=\"noopener\">post<\/a>, PySoxy is giving attackers encrypted proxy access without relying on well-known malware or remote monitoring and management (<a href=\"https:\/\/www.csoonline.com\/article\/4135307\/dont-trust-trustconnect-this-fake-remote-support-tool-only-helps-hackers.html\" target=\"_blank\" rel=\"noopener\">RMM<\/a>) tools. The observed attack chain established an initial PowerShell-based C2 channel, followed by a second C2 path through PySoxy.<\/p>\n<p>The campaign was observed in April. ReliaQuest said this was the first time it had seen ClickFix combined with PySoxy in active intrusions.<\/p>\n<h2 class=\"wp-block-heading\">PySoxy used for dual-channel persistence<\/h2>\n<p>The attack started with a ClickFix lure that tricked the victim into manually pasting and executing a malicious command disguised as a fix to a technical issue. Once launched, the command initiated a multi-stage infection chain.<\/p>\n<p>According to ReliaQuest, the execution flow established persistence through scheduled tasks, carried out domain reconnaissance, and opened an initial <a href=\"https:\/\/www.csoonline.com\/article\/2455156\/beware-powershell-too-helpful-users-tricked-into-fixing-their-machines-with-malware.html\">PowerShell-based<\/a> C2 channel back to the attackers. The chain then deployed PyProxy to create a second encrypted communication path that turns the infected endpoint into a proxy relay.<\/p>\n<p>\u201cAfter staging reconnaissance output locally and uploading it to separate attacker-controlled infrastructure, the attacker downloaded Python tooling to C:ProgramData,\u201d the researchers said. \u201cThe compiled bytecode file was then executed with Python and identified as PySoxy. This turned the intrusion from a PowerShell-led access chain into one with redundant access paths.\u201d<\/p>\n<p>Researchers noted that the use of a second foothold, proxying through PySoxy, allows the intrusion to go on even after the PowerShell C2 connection is blocked.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>ClickFix drifts into post-exploitation<\/h2>\n<p>ReliaQuest pointed to the evidence that ClickFix is no longer just a social engineering delivery mechanism. It is being increasingly used as a gateway into broader post-exploitation operations involving stealth, persistence, and trusted-tool abuse.<\/p>\n<p>Earlier this year, the cybersecurity technology company <a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-whats-trending-top-cyber-attacker-techniques-december-2025-february-2026\">reported<\/a> that ClickFix accounted for a large share of observed incidents and defense evasion activities in late 2025 and early 2026, with attackers relying on obfuscated commands and hidden execution chains.<\/p>\n<p>The use of PySoxy marks ClickFix shifting to older legitimate tooling with modular access techniques. By orchestrating multiple communication paths within the chain, the attackers are forcing defenders to expand containment efforts.<\/p>\n<p>\u201cLooking ahead, we expect ClickFix operators to continue experimenting with post-exploitation tooling beyond PowerShell,\u201d the researchers said. \u201cPython is one option, but the underlying logic, using whatever scripting runtime is available to stage proxy or C2 capability without dropping a traditional payload, applies equally to other interpreters.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Hunting clues include scheduled tasks and Python artifacts<\/h2>\n<p>In the ReliaQuest observed chain, scheduled tasks repeatedly relaunched malicious activity after communication attempts failed. ReliaQuest said defenders should specifically investigate recurring scheduled task creation alongside unusual Python-related artifacts and proxy-style command-line activity.<\/p>\n<p>Recommendations for incident responders included isolating affected hosts, reviewing scheduled tasks for suspicious re-execution patterns, and hunting for encrypted proxy behavior in Python processes instead of focusing solely on blocked C2 traffic.<\/p>\n<p>\u201cHunt for command lines containing combinations such as -ssl, -remote_ip, -remote_port, SOCKS, or .pyc execution,\u201d the researchers said, adding that these are high-value signals for PySoxy-style activity.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>ClickFix, a one-shot social engineering technique that tricks victims into executing malicious workflows disguised as fixes to technical issues in their systems, has got a persistence upgrade. In a one-off instance, ReliaQuest researchers have spotted an intrusion chain using scheduled tasks, PowerShell-based command-and-control (C2), and a unique abuse of the decade-old open-source proxy tool PySoxy. [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8138,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8137","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8137"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8137"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8137\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8138"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}