Ethical Hacking News
The recent emergence of the OneClik campaign highlights a significant evolution in threat actor tactics. Leveraging Microsoft's ClickOnce technology and bespoke Golang backdoors, attackers are exploiting vulnerabilities within the energy sector. This development underscores the importance of staying vigilant against "living-off-the-land" tactics and evolving threat actor strategies.
The OneClik campaign utilizes Microsoft's ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations in the energy, oil, and gas sectors.The campaign reflects a shift toward "living-off-the-land" tactics, blending malicious operations within cloud and enterprise tooling to evade traditional detection mechanisms.The phishing attacks use a .NET-based loader called OneClikNet to deploy a sophisticated Go-based backdoor codenamed RunnerBeacon.ClickOnce allows threat actors to execute malicious payloads without raising red flags, as it can run malicious code through a trusted Windows binary with limited permissions.The attack chain begins with phishing emails containing links to fake hardware analysis websites, which deliver a ClickOnce application and launch the malicious backdoor.The RunnerBeacon backdoor can communicate with C2 servers over multiple protocols, perform file operations, and escalate privileges using token theft and impersonation.Three variants of OneClick have been observed, each demonstrating improved capabilities to evade detection.Another campaign, APT-Q-14, has also employed ClickOnce apps to propagate malware, exploiting a zero-day XSS flaw in an email platform.
The cybersecurity landscape has recently witnessed a significant evolution in the tactics employed by threat actors. A new campaign, dubbed OneClik, has emerged, leveraging Microsoft's ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas sectors. The campaign, which exhibits characteristics aligned with Chinese-affiliated threat actors, demonstrates a broader shift toward "living-off-the-land" tactics, blending malicious operations within cloud and enterprise tooling to evade traditional detection mechanisms.
According to Trellix researchers Nico Paulo Yturriaga and Pham Duy Phuc, the OneClik campaign reflects this trend. The phishing attacks utilized by the attackers make use of a .NET-based loader called OneClikNet to deploy a sophisticated Go-based backdoor codenamed RunnerBeacon. This backdoor is designed to communicate with attacker-controlled infrastructure that is obscured using Amazon Web Services (AWS) cloud services.
ClickOnce, offered by Microsoft as a way to install and update Windows-based applications with minimal user interaction, can be an attractive means for threat actors looking to execute their malicious payloads without raising any red flags. The technology allows ClickOnce applications to run malicious code through a trusted Windows binary, "dfsvc.exe," which is responsible for installing, launching, and updating the apps. Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.
Trellix stated that the attack chains begin with phishing emails containing a link to a fake hardware analysis website that serves as a conduit for delivering a ClickOnce application. This application is then launched by injecting the malicious code via another technique known as AppDomainManager injection, ultimately resulting in the execution of an encrypted shellcode in memory to load the RunnerBeacon backdoor.
The Golang implant can communicate with a command-and-control (C2) server over HTTP(s), WebSockets, raw TCP, and SMB named pipes. It allows the backdoor to perform file operations, enumerate and terminate running processes, execute shell commands, escalate privileges using token theft and impersonation, and achieve lateral movement.
Furthermore, the RunnerBeacon incorporates anti-analysis features to evade detection. Additionally, it supports network operations like port scanning, port forwarding, and SOCKS5 protocol to facilitate proxy and routing features.
Three different variants of OneClick have been observed in March 2025 alone: v1a, BPI-MDM, and v1d. Each iteration demonstrates progressively improved capabilities to fly under the radar. Despite techniques such as AppDomainManager injection being used by China- and North Korea-linked threat actors in the past, a variant of RunnerBeacon was identified at a company in the Middle East in the oil and gas sector in September 2023.
The development comes as another campaign, mounted by a threat actor tracked as APT-Q-14, has also employed ClickOnce apps to propagate malware. This campaign exploits a zero-day cross-site scripting (XSS) flaw in the web version of an unnamed email platform. The vulnerability is automatically triggered when a victim opens a phishing email, causing the download of the ClickOne app.
QiAnXin reported that APT-Q-14 also focuses on zero-day vulnerabilities in email software for the Android platform. APT-Q-14 has been described as originating from Northeast Asia and having overlaps with other clusters dubbed APT-Q-12 (aka Pseudo Hunter) and APT-Q-15, which are assessed to be sub-groups within a South Korea-aligned threat group known as DarkHotel (aka APT-C-06).
Earlier this week, Beijing-based 360 Threat Intelligence Center disclosed DarkHotel's use of the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate Microsoft Defender Antivirus and deploy malware as part of a phishing attack that delivered fake MSI installation packages in February 2025.
Trellix also revealed that the activity tracked as OneClik was part of a controlled red team effort. Despite this, OneClik is notable for its realistic simulation of nation-state tradecraft. The campaign demonstrates how adversaries – or red teams emulating them – can use "living-off-the-land" tactics, blending into trusted cloud and enterprise tooling to evade traditional detection mechanisms.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Living-Off-The-Land-Tactics-OneClik-Campaign-Exploits-Microsoft-ClickOnce-and-Golang-Backdoors-for-Energy-Sector-Compromise-ehn.shtml
https://thehackernews.com/2025/06/oneclik-malware-targets-energy-sector.html
https://www.trellix.com/blogs/research/oneclik-a-clickonce-based-red-team-campaign-simulating-apt-tactics-in-energy-infrastructure/
Published: Tue Jul 1 05:58:37 2025 by llama3.2 3B Q4_K_M
