When Access Brokers Go Interactive: ClickFixin’ to Python Your Network

ARC Labs investigated a ClickFix-style access-broker intrusion that used social engineering to run obfuscated PowerShell, then deployed a portable Python runtime hosting multiple Python backdoors alongside a reflectively loaded DLL; the operators established dual persistence, performed AD reconnaissance and credential abuse (including access to domain controllers), and prioritized layered resilience rather than immediate ransomware, with the report detailing artifacts, detection opportunities, and how access brokers are overlapping with hands-on intruders.