ClickFix Is Konni Is PySoxy. Three Vendor Labels, One IP. The Operator Counts on the Confusion.

ReliaQuest published a campaign writeup yesterday calling it ClickFix. The technical content is sound: a social-engineering lure dropping obfuscated PowerShell that stages a Python interpreter, a compiled bytecode dropper called b64.pyc, and an old open-source SOCKS5 proxy called PySoxy that tunnels command-and-control traffic out to operator infrastructure. ReliaQuest published seven indicators: four IP addresses and three domains. One of those IP addresses — 185.205.211.217 — was already in our index.

We had it tagged as Konni.

Konni is one of the names the threat-intel community uses for a cluster of activity attributed, with varying degrees of confidence over the last seven years, to North Korean state-sponsored operators. We did not tag this IP as Konni because we ran our own attribution research on it. The abuse.ch SSL blacklist tagged it that way based on TLS certificate similarity to historical Konni infrastructure, and that tag came in through our feed integration.

Same IP. Two labels. Both technically defensible. Both at different abstraction levels. Neither analyst team consulted the other before publishing.

This is not a unique event. It is the dominant shape of how vendor threat intelligence works in 2026. Every quarterly attribution report assigns a new actor name. Every detection-vendor's blog rebrands the same operator's tooling with a memorable cluster identifier. Every threat-feed integration adds another field to your IOC's metadata, often with conflicting names attached. Defenders consolidate the feeds, deduplicate by hash and IP, and end up with mountain of attributions that look like ten campaigns when they are one.

The shape — vendor attribution fragmentation as operator camouflage

Three analyst teams reading three different signals from the same infrastructure produce three different campaign labels. ReliaQuest pattern-matched on the lure shape and called it ClickFix. abuse.ch clustered on the TLS certificate fingerprint and called it Konni. The campaign's own tooling — a stable, open-source, 7-year-old Python SOCKS5 proxy — is sometimes just called by its tool name, PySoxy, in operator-of-interest writeups. None of the three labels is wrong. They sit at different abstraction levels. The technique label, the actor-cluster label, the tool label.

The operator benefits from this. A defender running three different threat feeds sees ClickFix indicators from ReliaQuest, Konni indicators from abuse.ch, and PySoxy indicators from a YARA rule library. Naive consolidation deduplicates the IP and shows three "different campaigns" hitting the same infrastructure. Investigative attention fragments. The operator's actual operational pattern — one IP, one hosting choice, one cert template — gets buried under naming theater.

We have the receipts on naming theater because we were on the wrong end of it once

In December 2025 we identified a remote-access trojan family in active distribution. We published the analysis, including IOCs and a memorable family name: ANUSFRAGGER. Forty-three days later, Zscaler ThreatLabz published an analysis of the same family, with the same IOCs, and called it NrodeCodeRAT. The Zscaler post became the dominant reference in industry coverage. The DugganUSA naming convention disappeared from the consolidated picture, even though we were demonstrably first by six weeks.

We are not bitter about the rebrand. We are using it as the proof case for the shape: first-name does not win in vendor threat intelligence. Loudest-name wins. And the operator does not care which name catches on, because the operator wins regardless — fragmented naming becomes fragmented defender attention.

Old-sexy plus new-sexy is the camouflage primitive

The 7-year-old PySoxy project is exactly the kind of long-tail open-source tool that operators love. It is MIT-licensed, stable, 200 lines of code, audited by its small fork-community, last code commit October 2019. Defender heuristics that flag novel tools as suspicious will not flag PySoxy. Defender heuristics that flag legitimate widely-used tools as benign will not flag PySoxy either, because PySoxy is barely widely-used enough to count as legitimate. It sits in a gray zone where every signal cancels out.

The ClickFix lure is the opposite shape. It is current-quarter social engineering, polished, contextual, using whatever browser-fix theme is in the headlines this week. Defender heuristics that catch dated lures will not catch it. Defender heuristics that catch sophisticated phishing will, but only if the analyst already has examples of this specific lure family.

Pair them: old, signal-free tool plus new, fresh-lure delivery. Either half on its own is more likely to be caught than both halves combined. The 7-year-old utility is the camouflage for the new-sexy delivery, and the new-sexy delivery is the rationale for using the 7-year-old utility. Operator gets paid; defender's two single-axis detectors both look at the same incident and both shrug.

What we did about it on May 13, 2026

We wrote this post. We pulled the six previously-unindexed indicators from ReliaQuest's writeup and queued them for ingest into our IOC index with the malware_family tag ClickFix and a tags array that includes Konni-overlap and reliaquest. Background indexing is asynchronous on a million-document index and the queue is processing under load today, so we are not claiming the new records are live and searchable as of this paragraph being written. They are queued.

The principle is the same regardless. Cross-naming becomes first-class metadata, not lost-in-translation. Any future query on either ClickFix or Konni surfaces the same infrastructure. The seventh IOC, the one we already had, stays tagged as Konni and gets a second tag noting ReliaQuest's May 2026 ClickFix classification. Both labels point at the same record. Defender queries on either name find it.

The PySoxy mention goes in as a tool tag, not as a malware family. PySoxy is not malicious software. It is a SOCKS5 proxy used by operators because operators have used SOCKS5 proxies for tunneling since the 1990s. Pretending the tool is the bad guy is the kind of category error that produces false positives on every red-team exercise and on every legitimate network engineering deployment.

What defenders should do this week

Three observations, in order of leverage.

First, track infrastructure as the primary key, names as metadata. When you ingest a new IOC feed, the IP or hash should be the deduplication key. The actor name, the campaign name, the technique name, the malware family name should all be tags on the same record. If your SIEM treats the campaign name as the primary identifier and the IP as a secondary attribute, your consolidated picture will fragment whenever two vendors disagree on naming. The operator gets a free hiding spot in your tagging convention.

Second, accept that naming will lag attribution. A new operator surfacing this quarter will get three or four names from three or four different vendor analysis teams over the next six months. Defenders who wait for naming consensus before mitigating will be six months late. Defenders who mitigate on infrastructure and add the names as they appear will be on time. The naming consensus is a downstream artifact of attribution work that does not need to gate operational defense.

Third, do not assume your vendor has cross-referenced their own field. Vendor attribution teams almost never cross-reference against other vendors' published reports before assigning a new name. The incentives are misaligned: every team wants their own cluster identifier to become the canonical reference. The aggregation work falls on the defender. You will be doing it whether you plan to or not.

Where we sit

Six IOCs queued for the index today. Two existing adversary records are slated for cross-tag once the write batch lands. One blog post explaining the shape. Six free Edge Shield deployers got unblocked earlier in the day because we shipped the public-CSV gate change to support this very story. The infrastructure is in the public CSV feed regardless of which name caches against the IPs first. The names will be tags. The next analyst to publish a fourth name for the same operator will not break our pipeline because we are not indexing by name.

The ANUSFRAGGER name is not going anywhere from our records. Loudest-name may have won the industry citation race, but first-name still owns the receipts. Forty-three days of lead time is forty-three days of lead time.

Better luck next operator.

— Patrick Duggan, May 13, 2026

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com