The ClickFix social engineering technique — a method that tricks users into pasting and running malicious PowerShell commands on their own computers — has evolved into a significantly more dangerous and persistent threat. Security researchers have now documented a campaign combining ClickFix with PySoxy, a 10-year-old open-source Python SOCKS5 proxy tool, creating what analysts describe as a “durable access chain” capable of surviving standard endpoint security responses.
The findings, published by ReliaQuest in April 2026, mark the first observed case where ClickFix execution was paired with PySoxy in a sustained intrusion, signaling that this social engineering vector is maturing into a serious pre-ransomware delivery platform.
What Is ClickFix?
ClickFix is a social engineering technique in which a compromised or malicious website presents the visitor with a fake prompt — often impersonating a browser error, CAPTCHA, or software requirement — and instructs them to paste a command into a Windows Run dialog or PowerShell terminal. Because the user executes the command themselves, many traditional security controls do not trigger, and the attack appears to originate from legitimate user activity rather than a malicious payload.
The technique has been circulating for several years, but its combination with persistent secondary access tools represents a meaningful escalation in capability.
How the Updated Campaign Works
In the newly documented attack chain, the initial step remains familiar: a user visits a compromised website and is deceived into running a PowerShell command. What follows, however, is significantly more complex than previous ClickFix campaigns.
Once the command executes, the attacker rapidly establishes a persistent foothold:
- A scheduled task is planted on the victim machine that relaunches a staged script from
C:\ProgramDataapproximately every 40 minutes - That script functions as a lightweight remote access tool, polling the attacker’s server every three seconds, executing commands, and sending results back
- The attacker uses built-in Windows tools to perform reconnaissance — enumerating group memberships, identifying domain controllers, and mapping other machines on the network
- After confirming a staging server can be reached, PySoxy is deployed: compiled Python bytecode is downloaded and executed with proxy arguments pointing to a separate external IP
The result is two independent access paths into the same environment — the PowerShell remote access tool and the PySoxy SOCKS5 proxy — each using different infrastructure and traffic patterns.
Why Blocking the Connection Is Not Enough
The most critical insight from this campaign is how resilient the intrusion chain proved to be. In the incident studied by ReliaQuest, endpoint security controls successfully blocked both outbound attacker connections. Yet the attack continued — because the scheduled task already planted on the machine kept re-executing the staged script every 40 minutes, attempting to re-establish the connection for hours after containment appeared complete.
This persistence mechanism transformed a single user mistake into an ongoing, automated compromise. The operational pattern is directly comparable to SocGholish intrusions, which also combine social engineering with proxy-based access and network reconnaissance — strongly suggesting that ClickFix is evolving toward use as a primary ransomware delivery vector alongside more established access methods.
About PySoxy: A Decade-Old Tool Repurposed
PySoxy is an open-source Python-based SOCKS5 proxy implementation that was originally published approximately ten years ago. It is lightweight, functional, and — critically — legitimate enough in origin that it may not trigger security controls that look for known malware signatures. Its use here is part of a broader trend of threat actors leveraging legitimate or open-source tools (sometimes called “living off the land” with open-source software) to blend in with normal network traffic and evade detection.
In this campaign, PySoxy provided the attacker a covert tunnel through which they could route additional malicious traffic independently of the PowerShell command-and-control channel, effectively doubling the attacker’s persistence without introducing new malware families.
Indicators of Compromise
Defenders should look for the following indicators associated with this campaign:
- Scheduled tasks created shortly after suspicious PowerShell activity, particularly those executing scripts from
C:\ProgramData - Python execution with proxy-style command-line arguments: flags like
-ssl,-remote_ip, and-remote_port - Compiled
.pycfiles in unexpected or non-standard locations - Known malicious IPs: 185.205.211[.]217, 206.206.103[.]120, 206.206.103[.]106, 167.99.158[.]97
- Known malicious domains: strapness[.]com, abledom[.]net, overlateise[.]com
Recommended Response
Organizations should treat any ClickFix incident as a potential full compromise rather than an isolated user error. Specific response steps include:
- Fully isolate the affected host immediately — do not assume blocking an outbound connection has ended the intrusion
- Review all scheduled tasks, especially those created around the time of suspicious PowerShell activity
- Search for and remove Python runtimes, compiled bytecode files, and staged scripts in non-standard directories
- Conduct network-level review for SOCKS5 proxy traffic patterns originating from endpoints
- Educate users about the ClickFix social engineering technique, as user awareness remains the first line of defense against this initial infection vector
The combination of an old tool, a well-known technique, and a simple user interaction has produced an attack chain that is surprisingly durable and difficult to remediate. Security teams should update their incident response playbooks accordingly.