Attackers Combine ClickFix With PySoxy to Maintain Persistence

Attackers Combine ClickFix With PySoxy to Maintain Persistence

https://www.infosecurity-magazine.com/news/clickfix-combined-pysoxy-proxying/

Publish Date: 2026-05-24 01:55:37

Source Domain: www.infosecurity-magazine.com

Summary:

Cybercriminals are utilizing ClickFix attacks, a social engineering tactic that tricks users into executing harmful commands, in conjunction with PySoxy, an old open-source Python SOCKS5 proxy tool, to maintain persistence on compromised machines. A detailed analysis by ReliaQuest’s cybersecurity experts reveals that this combined attack vector is more insidious, as it allows repeated re-executions through a scheduled task, even after the initial malicious execution is removed. The intrusion methodology involves deliberate preparation before introducing PySoxy, ensuring a sustained attack. The researchers found that even blocking PowerShell and Python scripts or dropping a Remote Access Trojan (RAT) did not halt the attackers’ persistence mechanism. The attackers’ careful planning indicates a continued access preparation rather than a one-time reconnaissance effort. ReliaQuest recommends that response teams treat any ClickFix incidents with secondary tools as active compromise investigations requiring thorough isolation and review of artifacts. To counter ClickFix, ReliaQuest advises security teams to scrutinize scheduled tasks, Python artifacts, and proxy-style command lines for detection.

Key Points:

• Cybercriminals are combining ClickFix attacks with PySoxy to maintain persistence on victims’ devices post-removal.
• The attack showcases a modular post-exploitation phase, making it harder to identify and contain.
• Attackers deliberately planned their intrusion, delaying the introduction of PySoxy until they could ensure it could communicate with their controlled infrastructure.
• Even advanced endpoint controls failed to stop the attackers due to the persistence mechanism.
• Response teams should treat ClickFix incidents with persistence as an active compromise, isolating affected systems and thoroughly reviewing all artifacts and removal protocols.