ClickFix Evolves with PySoxy Proxying
A sophisticated ClickFix campaign was observed in April 2026 deploying PySoxy, a decade-old open-source Python SOCKS5 proxy tool, to establish encrypted proxy access on compromised hosts. The attack chain begins with social engineering that tricks users into executing obfuscated PowerShell commands, which then establishes scheduled task persistence and deploys an in-memory PowerShell-based command-and-control agent. Following domain reconnaissance activities, attackers deploy PySoxy to create a redundant encrypted access channel. The persistence mechanism continues attempting re-execution even after initial connections are blocked, demonstrating how single ClickFix executions can evolve into modular post-exploitation chains. This development represents a significant evolution from simple one-time execution to durable access with multiple redundant pathways, requiring comprehensive remediation beyond blocking initial callbacks.
AI Analysis
Technical Summary
This threat involves a sophisticated ClickFix campaign that leverages social engineering to execute obfuscated PowerShell commands, establishing persistence through scheduled tasks and deploying an in-memory PowerShell C2 agent. After conducting domain reconnaissance, attackers deploy PySoxy, a decade-old Python SOCKS5 proxy tool, to create encrypted proxy access on compromised systems. The persistence mechanism ensures repeated re-execution attempts, maintaining access even if initial network connections are disrupted. This evolution from a simple execution to a modular post-exploitation chain demonstrates increased complexity and resilience in maintaining attacker access.
Potential Impact
Compromised hosts gain durable, encrypted proxy access enabling attackers to maintain persistent control and conduct reconnaissance. The use of scheduled task persistence and in-memory C2 agents increases stealth and resilience against simple network blocking measures. The redundant encrypted proxy channels complicate detection and remediation efforts, potentially allowing prolonged unauthorized access and data exfiltration.
Mitigation Recommendations
No official patch or fix is available for this malware campaign. Mitigation requires comprehensive incident response including identification and removal of scheduled tasks, PowerShell-based C2 agents, and PySoxy proxy components. Blocking initial callbacks alone is insufficient due to the persistence mechanism's repeated re-execution attempts. Organizations should focus on detecting and eradicating all components of the attack chain and improving user awareness to prevent social engineering-based execution.
Indicators of Compromise
- domain: overlateise.com
- domain: abledom.net
- ip: 206.206.103.106
- ip: 206.206.103.120
- domain: strapness.com
ClickFix Evolves with PySoxy Proxying
Description
A sophisticated ClickFix campaign was observed in April 2026 deploying PySoxy, a decade-old open-source Python SOCKS5 proxy tool, to establish encrypted proxy access on compromised hosts. The attack chain begins with social engineering that tricks users into executing obfuscated PowerShell commands, which then establishes scheduled task persistence and deploys an in-memory PowerShell-based command-and-control agent. Following domain reconnaissance activities, attackers deploy PySoxy to create a redundant encrypted access channel. The persistence mechanism continues attempting re-execution even after initial connections are blocked, demonstrating how single ClickFix executions can evolve into modular post-exploitation chains. This development represents a significant evolution from simple one-time execution to durable access with multiple redundant pathways, requiring comprehensive remediation beyond blocking initial callbacks.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a sophisticated ClickFix campaign that leverages social engineering to execute obfuscated PowerShell commands, establishing persistence through scheduled tasks and deploying an in-memory PowerShell C2 agent. After conducting domain reconnaissance, attackers deploy PySoxy, a decade-old Python SOCKS5 proxy tool, to create encrypted proxy access on compromised systems. The persistence mechanism ensures repeated re-execution attempts, maintaining access even if initial network connections are disrupted. This evolution from a simple execution to a modular post-exploitation chain demonstrates increased complexity and resilience in maintaining attacker access.
Potential Impact
Compromised hosts gain durable, encrypted proxy access enabling attackers to maintain persistent control and conduct reconnaissance. The use of scheduled task persistence and in-memory C2 agents increases stealth and resilience against simple network blocking measures. The redundant encrypted proxy channels complicate detection and remediation efforts, potentially allowing prolonged unauthorized access and data exfiltration.
Mitigation Recommendations
No official patch or fix is available for this malware campaign. Mitigation requires comprehensive incident response including identification and removal of scheduled tasks, PowerShell-based C2 agents, and PySoxy proxy components. Blocking initial callbacks alone is insufficient due to the persistence mechanism's repeated re-execution attempts. Organizations should focus on detecting and eradicating all components of the attack chain and improving user awareness to prevent social engineering-based execution.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://reliaquest.com/blog/threat-spotlight-clickfix-evolves-with-pysoxy-proxying"]
- Adversary
- null
- Pulse Id
- 6a04a9a171b2ad5ef57d9993
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainoverlateise.com | — | |
domainabledom.net | — | |
domainstrapness.com | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip206.206.103.106 | — | |
ip206.206.103.120 | — |
Threat ID: 6a058987cbff5d8610b57c0b
Added to database: 5/14/2026, 8:36:23 AM
Last enriched: 5/14/2026, 8:52:11 AM
Last updated: 5/14/2026, 2:54:22 PM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.