Attackers Combine ClickFix With PySoxy Proxying to Maintain Persistence

ReliaQuest researchers detail a ClickFix-based campaign that leverages PySoxy (an open-source Python SOCKS5 proxy) to achieve persistent, modular post-exploitation on victim hosts without relying solely on traditional malware. Attackers staged access, validated connectivity to their staging infrastructure, then deployed the proxy which used a scheduled task for local persistence; follow-on RAT or script delivery attempts were observed but sometimes blocked. The report warns defenders to treat ClickFix incidents with persistence as active compromises and recommends host isolation, scheduled task and Python artifact review, and hunting for proxy-style Python command lines.