CYBERCRIMINALS have combined ClickFix attacks with PySoxy, a 10-year-old open-source Python SOCKS5 proxy, to maintain persistence on victims’ machines without malware, even after attempts at removal. The campaign, detailed by ReliaQuest researchers, shows ClickFix moving beyond one-time user execution into modular post-exploitation, making attacks harder to identify and contain.
ReliaQuest noted that blocking the initial access gained with ClickFix did not necessarily stop the intrusion, because the proxy tool provides a local persistence mechanism that can restart activity via a scheduled task. The attackers reportedly introduced PySoxy after gathering information about the environment and confirming host contact with attacker-controlled staging infrastructure, before establishing the connection to the control server and deploying the final payload.
They experimented with PowerShell and Python scripts, though attempts to drop a Remote Access Trojan were blocked by endpoint controls; the persistence mechanism itself remained a concern for responders. Earlier this month the Australian Cyber Security Centre issued a warning over a widespread ClickFix campaign targeting infrastructure providers and other organisations.