Published on May 13, 2026
ClickFix Evolves with 10-Year-Old Open-Source Python SOCKS5 Proxy
Severity
Critical
Detail
Security researchers have identified a new evolution of the ClickFix attack technique where threat actors are combining social engineering with an old open-source Python SOCKS5 proxy tool called PySoxy. The attackers use this method to maintain long-term access to compromised systems while avoiding detection. ClickFix attacks typically trick users into manually running malicious commands disguised as fixes for technical issues, CAPTCHA checks or browser verification prompts. In this latest campaign, attackers used ClickFix to establish initial access before deploying PySoxy as a secondary communication channel.
The PySoxy tool creates an encrypted proxy connection that allows attackers to continue accessing infected systems even if the original PowerShell command-and-control (C2) channel is blocked. Researchers observed attackers using scheduled tasks and Python scripts to repeatedly restart malicious activity, making the intrusion more persistent and difficult to remove.
Threat actors also performed reconnaissance on compromised environments before deploying PySoxy, showing deliberate preparation for extended unauthorized access. The malware activity included collecting system information, staging reconnaissance data locally, and communicating with attacker-controlled infrastructure.
How?
The attack begins with a ClickFix lure that tricks users into manually executing malicious commands disguised as system fixes, browser verification steps, or CAPTCHA-related instructions. Once executed, the malicious command establishes an initial PowerShell-based communication channel with attacker-controlled infrastructure. The attackers then conduct reconnaissance to gather information about the compromised environment and confirm outbound connectivity.
After verifying access, the attackers download and execute the PySoxy Python SOCKS5 proxy tool on the infected system. PySoxy creates a secondary encrypted communication channel that acts as a backup access method for the attackers. The attackers establish persistence using scheduled tasks and Python-related artifacts that automatically restart malicious activity if connections fail or security tools interrupt execution. This allows attackers to maintain continued access even after partial remediation attempts.
By abusing legitimate Python tooling and proxy functionality, the attack blends into normal development and administrative activities, making detection significantly more difficult. Compromised systems may be used for continued intrusion activity, credential theft, lateral movement, and additional malware deployment.
Indicator of Compromise (IoC)
| Type | Indicator | Description |
| IP Address | 185.205.211[.]217 | ClickFix Infrastructure IP |
| IP Address | 206.206.103[.]120 | PowerShell RAT C2 |
| IP Address | 206.206.103[.]106 | Staging and Exfiltration IP |
| IP Address | 167.99.158[.]97 | PySoxy Proxy Destination IP |
| Domain | strapness[.]com | ClickFix Stager Domain |
| Domain | abledom[.]net | Secondary C2 Domain |
Recommendation
To reduce the risk of compromise and improve detection capabilities, security teams should implement the following measures:
- Isolate affected hosts immediately to prevent lateral movement and continued attacker access.
- Investigate all scheduled tasks for suspicious or repeated execution activity.
- Monitor systems for unusual Python-related processes, scripts, or compiled .pyc files.
- Hunt for command lines containing indicators such as -ssl, -remote_ip, -remote_port, and SOCKS.
- Block unauthorized outbound proxy communications and suspicious encrypted traffic.
- Review PowerShell execution logs for suspicious or obfuscated commands.
Source
https://cybersecuritynews.com/clickfix-evolves-with-python-socks5-proxy/