{ "Event": { "analysis": "1", "date": "2026-05-12", "extends_uuid": "", "info": "[Threat Intel] ClickFix Evolves with PySoxy Proxying", "protected": false, "publish_timestamp": "1779547240", "published": true, "threat_level_id": "3", "timestamp": "1779013833", "uuid": "1af217fa-683f-4945-a924-640716449a80", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#3eb869", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Data Staging - T1074.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1087.002\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Groups - T1069.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#7d37d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"ReliaQuest\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778756440", "to_ids": false, "type": "link", "uuid": "a815efd9-47ed-4851-8171-d3fb39a882b8", "value": "https://reliaquest.com/blog/threat-spotlight-clickfix-evolves-with-pysoxy-proxying" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778756440", "to_ids": false, "type": "text", "uuid": "91b20b48-53d2-447b-88ff-e4655bb2337d", "value": "A sophisticated ClickFix campaign was observed in April 2026 deploying PySoxy, a decade-old open-source Python SOCKS5 proxy tool, to establish encrypted proxy access on compromised hosts. The attack chain begins with social engineering that tricks users into executing obfuscated PowerShell commands, which then establishes scheduled task persistence and deploys an in-memory PowerShell-based command-and-control agent. Following domain reconnaissance activities, attackers deploy PySoxy to create a redundant encrypted access channel. The persistence mechanism continues attempting re-execution even after initial connections are blocked, demonstrating how single ClickFix executions can evolve into modular post-exploitation chains. This development represents a significant evolution from simple one-time execution to durable access with multiple redundant pathways, requiring comprehensive remediation beyond blocking initial callbacks." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778756440", "to_ids": false, "type": "text", "uuid": "a04ffb40-4e77-4516-a563-9c8343fdb8d4", "value": "Name: ClickFix Evolves with PySoxy Proxying\nAuthor: AlienVault\nAdversary: \nTags: [\"scheduled task persistence\", \"python proxy\", \"pysoxy\", \"powershell c2\", \"social engineering\", \"domain reconnaissance\", \"post-exploitation\", \"clickfix\"]\nTgtd countries: []\nMlwr families: [\"PySoxy\"]\nAttack_ids: [\"T1053.005\", \"T1033\", \"T1074.001\", \"T1087.002\", \"T1204.002\", \"T1573.001\", \"T1069.002\", \"T1135\", \"T1140\", \"T1090\", \"T1482\", \"T1041\", \"T1059.001\", \"T1547.001\", \"T1027\", \"T1059.006\", \"T1070.004\", \"T1071.001\", \"T1018\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "Hosted the ClickFix script (/api/jquery[.]js) injected into the compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1779002333", "to_ids": true, "type": "domain", "uuid": "b70af384-dc4b-4760-bd27-e4b74b753b8f", "value": "overlateise.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Secondary C2 Domain", "deleted": false, "disable_correlation": false, "timestamp": "1779002354", "to_ids": true, "type": "domain", "uuid": "adbd9ecb-d12a-46ef-8e32-e19eeca08abf", "value": "abledom.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Staging and Exfiltration IP", "deleted": false, "disable_correlation": false, "timestamp": "1779002375", "to_ids": true, "type": "ip-dst", "uuid": "1197f059-a415-409c-bf5d-b7789530f0d1", "value": "206.206.103.106", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "PowerShell RAT C2", "deleted": false, "disable_correlation": false, "timestamp": "1779002396", "to_ids": true, "type": "ip-dst", "uuid": "3d2e55ba-08ac-4541-a9f6-31eaf182e758", "value": "206.206.103.120", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ClickFix Stager Domain", "deleted": false, "disable_correlation": false, "timestamp": "1779002418", "to_ids": true, "type": "domain", "uuid": "8f136e1d-a000-4b3e-978a-8148401b4999", "value": "strapness.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ClickFix Infrastructure IP", "deleted": false, "disable_correlation": false, "timestamp": "1779002439", "to_ids": true, "type": "ip-dst", "uuid": "c9bf470f-d5ed-412f-b01c-bef04028c1bc", "value": "185.205.211.217", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "PySoxy Proxy Destination IP", "deleted": false, "disable_correlation": false, "timestamp": "1779002460", "to_ids": true, "type": "ip-dst", "uuid": "986b2327-fea8-4b16-8047-a19292ca57cc", "value": "167.99.158.97", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }