An alarming evolution in cyberattack strategies has emerged with the ClickFix campaign, now leveraging a decade-old open-source Python tool to enhance its persistence. Originally considered a user error, ClickFix has matured into a complex threat capable of maintaining access despite defensive measures.
New Techniques in Cyber Intrusion
The ClickFix attack begins when unsuspecting users encounter a compromised website. Here, they are manipulated into executing a PowerShell command on their devices. This social engineering tactic is well-known, yet the latest adaptation introduces a significant twist. The attack no longer ends with the initial command, as it establishes ongoing automated access, circumventing typical security interventions.
Security experts at ReliaQuest first identified this updated approach in April 2026. They noted that ClickFix now incorporates PySoxy, a Python-based SOCKS5 proxy tool, significantly enhancing the attack’s durability. This combination marks a shift in threat dynamics, as the attack maintains activity even when outbound connections are blocked.
Leveraging PySoxy for Sustained Access
The attackers’ deployment of PySoxy underscores a crucial lesson: simply blocking connections does not neutralize the threat. In the observed incident, even after endpoint defenses severed the attacker’s channels, a scheduled task on the compromised machine continued to revive the malicious script. This persistence could signal a new entry point for ransomware operations.
Drawing parallels with SocGholish intrusions, which also utilize social engineering tactics, ClickFix is evolving into a formidable pre-ransomware platform. Following the initial PowerShell execution, the attackers quickly established a foothold, setting up a scheduled task to relaunch a script from the C:ProgramData folder every 40 minutes. This script acted as a lightweight remote access tool, consistently communicating with the attacker’s server.
Implications for Cyber Defense
After securing PowerShell-based access, the attackers conducted reconnaissance using built-in Windows tools to map network assets. Only upon verifying a staging server’s availability did they deploy PySoxy, executing compiled Python bytecode with proxy arguments targeting an external IP. This secondary channel provided an alternative route into the host, independent of the initial PowerShell connection, thereby reinforcing their hold on the environment.
The campaign highlights the need for comprehensive containment strategies. Analysts emphasize isolating affected hosts and scrutinizing scheduled tasks, especially those linked to suspicious PowerShell activity. Tasks pointing to atypical directories like ProgramData should be prioritized for investigation.
Incident responders are advised to watch for Python executions involving proxy-style command-line arguments, including flags such as -ssl, -remote_ip, and -remote_port, alongside unexpected .pyc files. Thorough removal of staged scripts, Python runtimes, and bytecode files is vital to prevent the attack’s re-emergence. Recognizing ClickFix incidents as potential full compromises rather than isolated errors is essential for effective response.
