Operation ClickFix Persistence Mechanism Leveraging PySoxy Proxy
Summary
Hide ▲
Show ▼
A cybercriminal campaign combining ClickFix social engineering with PySoxy, a decade-old Python SOCKS5 proxy tool, establishes persistent access on compromised hosts without traditional malware, evading conventional removal attempts. The intrusion begins with ClickFix, a user-executed social engineering tactic that deceives victims into running malicious commands or downloading payloads. Attackers then delay deployment of PySoxy to perform reconnaissance, identify lateral movement targets, and confirm communication with attacker-controlled infrastructure before activating the proxy as a persistence mechanism via scheduled tasks. This modular approach enables repeated re-execution attempts even when endpoint protections block primary payloads or command-and-control (C2) connections.
Timeline
-
12.05.2026 15:00 1 articles · 2h ago
ClickFix Campaign Introduces PySoxy Proxy for Persistent Access
Security researchers observed a ClickFix-based intrusion where attackers deployed PySoxy, a Python SOCKS5 proxy, as a persistence mechanism via scheduled tasks after initial compromise. The attack sequence involved delayed deployment of PySoxy following reconnaissance and infrastructure validation, enabling repeated re-execution attempts even when primary payloads or C2 connections were blocked by endpoint controls.
Show sources
- Attackers Combine ClickFix With PySoxy Proxying to Maintain Persistence — www.infosecurity-magazine.com — 12.05.2026 15:00
Information Snippets
-
ClickFix is a social engineering technique that tricks users into executing malicious commands or downloading harmful payloads, serving as an initial access vector.
First reported: 12.05.2026 15:001 source, 1 articleShow sources
- Attackers Combine ClickFix With PySoxy Proxying to Maintain Persistence — www.infosecurity-magazine.com — 12.05.2026 15:00
-
PySoxy, a 10-year-old open-source Python SOCKS5 proxy tool, is used as a persistence mechanism via scheduled tasks to maintain access on compromised hosts.
First reported: 12.05.2026 15:001 source, 1 articleShow sources
- Attackers Combine ClickFix With PySoxy Proxying to Maintain Persistence — www.infosecurity-magazine.com — 12.05.2026 15:00
-
Attackers introduce PySoxy only after completing reconnaissance, confirming host communication with attacker-controlled staging infrastructure, and identifying follow-on targets.
First reported: 12.05.2026 15:001 source, 1 articleShow sources
- Attackers Combine ClickFix With PySoxy Proxying to Maintain Persistence — www.infosecurity-magazine.com — 12.05.2026 15:00
-
The campaign demonstrates modular post-exploitation, where primary payloads (e.g., RATs) are blocked by endpoint controls, but persistence mechanisms allow repeated re-execution attempts.
First reported: 12.05.2026 15:001 source, 1 articleShow sources
- Attackers Combine ClickFix With PySoxy Proxying to Maintain Persistence — www.infosecurity-magazine.com — 12.05.2026 15:00
-
Security recommendations include isolating affected hosts, reviewing scheduled tasks, analyzing Python artifacts, and hunting for proxy-style Python command lines during incident response.
First reported: 12.05.2026 15:001 source, 1 articleShow sources
- Attackers Combine ClickFix With PySoxy Proxying to Maintain Persistence — www.infosecurity-magazine.com — 12.05.2026 15:00