OneClik Attack Abuses Microsoft's ClickOnce Service
Researchers have uncovered a sophisticated cyber-espionage campaign known as OneClik, which targets organizations in the energy, oil, and gas sectors. The attackers exploit Microsoft's ClickOnce deployment technology—a tool designed to streamline the installation and updating of Windows applications with minimal user interaction—to deliver malicious payloads silently.
Once inside a system, the campaign uses custom backdoors written in Golang. It hides its command-and-control (C2) infrastructure within legitimate Amazon Web Services (AWS) platforms, including CloudFront, API Gateway, and Lambda, making detection and mitigation significantly more challenging.
Trellix researchers identified OneClik as a targeted APT campaign against the energy, oil, and gas sectors. The campaign used phishing emails linking to fake "hardware analysis" tools hosted on Azure Blob Storage. ClickOnce deployment runs under dfsvc.exe, a trusted Microsoft process, which allows the loader to run without user‑account‑control prompts and avoids many security alerts.
Once the ClickOnce loader (OneClikNet) launches under dfsvc.exe, it modifies the .exe.config file of a legitimate .NET executable, such as ZSATray.exe, umt.exe, or ied.exe.
It injects specific directives into a config file, forcing the CLR to load a malicious DLL at runtime. This technique, called AppDomainManager hijacking, enables early and stealthy execution of attacker‑controlled code. This config hijack makes the malicious DLL load before any legitimate logic runs, effectively commandeering the host process.
Next, APT threat actors will deploy the malware loader once initial access is achieved. The .NET loader exhibits modular behavior and can adapt to the environment. It supports multiple "victim identifier" methods like downloading from command-and-control servers, reading static files, generating SHA-256 hashes of static strings, or hashing the machine name. This possibly suggests a proactive targeting logic.
Likewise, the loader retrieves its payload via three methods: downloading from the command-and-control server, local file, or embedded blob. Flexibility like this ensures successful payload delivery across different deployment environments.
For payload delivery, it fetches encrypted data, often an AES-128-CBC‑encrypted base64 blob stored as .dat files or hidden in icons (like fav.ico). This data is then decrypted in memory. This decrypted content is injected directly as shell code into a process using CLR reflection and internal memory routines, bypassing standard operator system security and detection tools.
The attack campaign evolved through three variants, each adding layers of defense evasion:
- The first version implemented basic stealth: it relocated system modules in memory, silenced console windows, and patched Event Tracing for Windows (ETW) functions (like EtwEventWrite), preventing telemetry logging.
- The second added continuous anti-debug loops by spawning a background thread that checks both managed (Debugger.IsAttached) and native (NtQueryInformationProcess) indicators, terminating if debugging is detected.
- The third further enhanced stealth with sandbox detection (checking domain membership via NetGetJoinInformation and NetGetAadJoinInformation and verifying that system RAM exceeds 8 GB via GlobalMemoryStatusEx) and even deleted its config file post‑injection to reduce forensic traces.
These improvements render analysis in sandbox or VM environments significantly more difficult, increasing the likelihood of deployment on real targets.
RunnerBeacon: Go-Based In-Memory Backdoor
After injection, the loader deploys RunnerBeacon, a sophisticated Go‑written backdoor. It resides entirely in memory and operates without writing to disk. RunnerBeacon employs RC4 encryption alongside MessagePack serialization, constructing a modular command protocol with roughly 16 message types, each mapped to a numeric value.
RunnerBeacon's functionality mirrors tools like Cobalt Strike's Beacon by executing shell commands with CreateProcessW and piped IO, enumerating processes, uploading/downloading files, scanning network ports, establishing SOCKS5 tunnels, injecting into other processes, and performing token manipulation for privilege escalation. Further, the backdoor randomizes beacon intervals and includes an obfuscate_and_sleep routine to counter detection.
RunnerBeacon disguises its communication in legitimate AWS cloud traffic. The command-and-control infrastructure evolves across variants:
- The first and second versions used AWS CloudFront distributions and API Gateway URLs.
- The third transitions to AWS Lambda function URLs for a callback, further cloaking its traffic.
Since these domains resolve to trusted AWS infrastructure and use TLS encryption with normal-looking headers, traffic blends almost seamlessly into organizational cloud usage, evading perimeter defenses and making detection nearly impossible unless SSL is terminated or advanced behavioral traffic analytics are in place.
Trellix also identified a RunnerBeacon variant in September 2023, targeting a Middle Eastern oil and gas firm. It shares over 99% code similarity with OneClik, highlighting long-standing campaigning efforts focused on critical infrastructure.
Although the campaign's tactics and techniques, such as AppDomainManager hijacking, encrypted in-memory payloads, and cloud-based staging, parallel techniques used by Chinese-affiliated groups like APT41, Trellix emphasizes an exact attribution remains incredibly difficult in the absence of definitive evidence.
OneClik represents a highly advanced espionage toolkit, combining phishing, trusted .NET runtime hijacking, in-memory encrypted payloads, and cloud-based command channels to deliver persistent, stealthy backdoors into critical infrastructure environments. It continues to evolve across variants, layering anti-analysis techniques and refined C2 methods to evade detection.
For defenders, identifying this threat requires multi-layered monitoring across endpoint behavior, .NET configuration integrity, and encrypted outbound traffic to cloud services, particularly AWS.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion