Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ClickFix attacks with PySoxy scheduled-task persistence

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

Cybercriminals are combining ClickFix with PySoxy to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a Python SOCKS5 proxy and a scheduled task to keep re-executing attacker activity, which makes containment harder. It also shows ClickFix moving beyond one-time user execution into modular post-exploitation.

Related Happenings

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

DeepLoad credential-stealing malware activity with WMI persistence

Malware Activity
First: 31.03.2026 00:25 Last: 31.03.2026 00:25 Sources 1

About this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...

Open Happening

Torg Grabber browser-extension theft activity

Malware Activity
First: 25.03.2026 20:32 Last: 25.03.2026 20:32 Sources 1

About this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...

Open Happening

LeakNet ClickFix compromised-website targeting campaign

Campaign
First: 17.03.2026 16:34 Last: 17.03.2026 16:34 Sources 1

About this happening: The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...

Open Happening

Timeline

  1. 12.05.2026 15:00 2 articles · 15d ago

    ReliaQuest details ClickFix and PySoxy persistence on victims' machines

    Technical Analysis Update

    ReliaQuest described ClickFix activity that combined PySoxy, a 10-year-old open-source Python SOCKS5 proxy, to maintain persistence on victims’ machines after removal attempts. The attackers delayed PySoxy until after initial compromise, used a scheduled task to restart activity, and researchers also observed attempts to deliver a final payload via PowerShell, Python scripts, and a RAT, with endpoint controls blocking those channels.

    Show sources
    Open in new tab