ClickFix Campaign Leverages PySoxy for Redundant Encrypted Access on Compromised Hosts

Security researchers documented in April 2026 a sophisticated ClickFix campaign that moved beyond simple social engineering into a modular post-exploitation framework. The operation deploys PySoxy—a decade-old open-source Python SOCKS5 proxy tool—to establish encrypted proxy channels on compromised systems, creating redundant pathways for command-and-control communications.

The attack chain begins with social engineering that tricks users into executing obfuscated PowerShell commands. This establishes scheduled task persistence and deploys an in-memory PowerShell-based command-and-control agent. Following domain reconnaissance, attackers deploy PySoxy to create an additional encrypted access layer. Notably, the persistence mechanism continues attempting re-execution even after initial connections are blocked, demonstrating how single ClickFix executions can evolve into durable access infrastructure.

The development signals a significant shift in ClickFix tactics, according to researchers tracking the campaign. What began as relatively simple one-time execution vectors now represent entry points into complex post-exploitation chains with multiple redundant pathways. This evolution raises the bar for remediation efforts, requiring security teams to look beyond blocking initial callbacks. Organizations face pressure to implement detection strategies that account for modular tool deployment and layered persistence mechanisms that outlast the initial compromise.