Ethical Hacking News
The OneClik malware campaign has been identified in recent months, targeting organizations within the energy, oil, and gas sectors using Microsoft's ClickOnce technology and bespoke Golang backdoors. This campaign reflects a broader shift toward "living-off-the-land" tactics, blending malicious operations within cloud and enterprise tooling to evade traditional detection mechanisms. As the threat landscape continues to evolve, it is essential for organizations to stay informed about emerging threats and to implement robust security measures to protect themselves against such campaigns.
The OneClik malware campaign uses Microsoft's ClickOnce software deployment technology and bespoke Golang backdoors to target organizations in the energy, oil, and gas sectors.The campaign exhibits characteristics aligned with Chinese-affiliated threat actors, but attribution remains cautious due to a lack of concrete evidence.The methods employed by OneClik reflect a shift toward "living-off-the-land" tactics, blending malicious operations within cloud and enterprise tooling to evade traditional detection mechanisms.The phishing attacks utilize a .NET-based loader called OneClikNet to deploy a sophisticated Go-based backdoor codenamed RunnerBeacon.The use of AWS cloud services provides a layer of abstraction, making it more challenging for security teams to detect and respond to the malicious activity.The ClickOnce technology allows adversaries to abuse it to proxy execution of malicious code without needing to escalate privileges.The attack chains begin with phishing emails containing a link to a fake hardware analysis website that serves as a conduit for delivering a ClickOnce application.The use of AppDomainManager injection allows OneClik to bypass traditional security measures and establish a stable connection with the C2 server.The RunnerBeacon backdoor provides a range of functionalities, including file operations, process enumeration, and shell command execution, as well as network operations like port scanning and SOCKS5 protocol.The campaign has been identified in March 2025 alone, with three different variants observed: v1a, BPI-MDM, and v1d.
The world of cyber warfare has seen its fair share of sophisticated tactics, techniques, and procedures (TTPs) employed by malicious actors to compromise organizations worldwide. In recent months, a new campaign dubbed OneClik has gained attention from cybersecurity researchers, who have detailed its use of Microsoft's ClickOnce software deployment technology and bespoke Golang backdoors to target organizations within the energy, oil, and gas sectors.
The OneClik malware campaign is believed to be an evolution of known Go-based Cobalt Strike beacons, with its design closely paralleling that of the Geacon/Geacon plus/Geacon Pro family. This campaign exhibits characteristics aligned with Chinese-affiliated threat actors, although attribution remains cautious due to the lack of concrete evidence. The methods employed by OneClik reflect a broader shift toward "living-off-the-land" tactics, blending malicious operations within cloud and enterprise tooling to evade traditional detection mechanisms.
The phishing attacks initiated by OneClik utilize a .NET-based loader called OneClikNet to deploy a sophisticated Go-based backdoor codenamed RunnerBeacon. This backdoor is designed to communicate with attacker-controlled infrastructure that is obscured using Amazon Web Services (AWS) cloud services. The use of AWS cloud services provides a layer of abstraction, making it more challenging for security teams to detect and respond to the malicious activity.
The ClickOnce technology, offered by Microsoft as a way to install and update Windows-based applications with minimal user interaction, can be an attractive means for threat actors looking to execute their malicious payloads without raising any red flags. ClickOnce applications can be used to run malicious code through a trusted Windows binary, "dfsvc.exe," which is responsible for installing, launching, and updating the apps. This allows adversaries to abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.
The attack chains initiated by OneClik begin with phishing emails containing a link to a fake hardware analysis website that serves as a conduit for delivering a ClickOnce application, which in turn runs an executable using dfsvc.exe. The binary is a ClickOnce loader that is launched by injecting the malicious code via another technique known as AppDomainManager injection, ultimately resulting in the execution of an encrypted shellcode in memory to load the RunnerBeacon backdoor.
The use of AppDomainManager injection allows OneClik to bypass traditional security measures and establish a stable connection with the C2 server. This technique is often used by Chinese-affiliated threat actors, such as APT-Q-14, which has been described as originating from Northeast Asia and having overlaps with other clusters dubbed APT-Q-12 (aka Pseudo Hunter) and APT-Q-15.
The RunnerBeacon backdoor provides a range of functionalities to the OneClik malware campaign, including file operations, process enumeration, and shell command execution. It also supports network operations like port scanning, port forwarding, and SOCKS5 protocol to facilitate proxy and routing features. Furthermore, the backdoor incorporates anti-analysis features to evade detection and can escalate privileges using token theft and impersonation techniques.
The OneClik malware campaign has been identified in March 2025 alone, with three different variants observed: v1a, BPI-MDM, and v1d. Each iteration demonstrates progressively improved capabilities to fly under the radar. The development of OneClik serves as a reminder of the evolving threat landscape and the need for organizations to stay vigilant and implement robust security measures to protect themselves against such campaigns.
In related news, Beijing-based 360 Threat Intelligence Center disclosed DarkHotel's use of the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate Microsoft Defender Antivirus and deploy malware as part of a phishing attack that delivered fake MSI installation packages in February 2025. This incident highlights the ongoing threat posed by Chinese-affiliated threat actors, who continue to adapt and evolve their TTPs to evade detection.
The increasing sophistication of OneClik malware campaign underscores the need for organizations to stay informed about emerging threats and to implement robust security measures to protect themselves against such campaigns. As the threat landscape continues to evolve, it is essential for cybersecurity professionals to remain vigilant and up-to-date with the latest threat intelligence and TTPs employed by malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Side-of-Cloud-Friendly-Operations-Unveiling-the-OneClik-Malware-Campaign-ehn.shtml
https://thehackernews.com/2025/06/oneclik-malware-targets-energy-sector.html
Published: Fri Jun 27 03:28:47 2025 by llama3.2 3B Q4_K_M
