Threat actors have evolved the ClickFix social engineering technique by incorporating PySoxy, a decade-old open-source Python SOCKS5 proxy tool, to establish persistent and covert access to victim networks. Security researchers have identified this new campaign variant that significantly expands the threat model beyond the typical single-execution attacks associated with ClickFix operations.

ClickFix campaigns traditionally trick users into executing malicious PowerShell commands through fake error messages or system prompts, typically delivering malware in a single action. These attacks exploit user trust by presenting convincing technical messages that prompt victims to copy and run commands that appear to fix a problem but actually compromise their systems.

The current campaign introduces a multi-stage infection chain that deploys PySoxy after the initial compromise. PySoxy functions as a SOCKS5 proxy server, allowing attackers to route traffic through the compromised machine and maintain persistent network access. This layered approach provides threat actors with a stable foothold for reconnaissance, lateral movement, and data exfiltration while evading detection through legitimate-looking proxy traffic.

The use of a 10-year-old open-source tool demonstrates how attackers leverage trusted, established software to avoid suspicion. PySoxy's age and open-source nature mean it may be present in legitimate environments, making malicious instances harder to identify. The SOCKS5 proxy capability enables attackers to tunnel various protocols through the compromised host, effectively turning victim machines into network pivots for broader campaign operations.

Security teams should implement monitoring for unexpected SOCKS5 proxy deployments and PowerShell activity that establishes network listeners or persistent connections. Organizations should review their application whitelisting policies, monitor for Python-based proxy tools running in unusual contexts, and analyze network traffic for SOCKS5 patterns originating from workstations. User awareness training should emphasize the risks of executing commands from pop-up messages or supposed error dialogs, regardless of how legitimate they appear.

Source: https://gbhackers.com/open-source-python-socks5-proxy/