Full Report
2025-06-24 • Trellix • Nico Paulo Yturriaga, Pham Duy Phuc Open article on Malpedia
Analysis Summary
# Threat Actor: OneClik APT Campaign (Attribution/Grouping Pending)
## Attribution & Identity
Attribution information for the threat actor behind the 'OneClik' campaign is not explicitly detailed in the provided abstract excerpt, only the name of the campaign/APT group being analyzed ("OneClik") and the organization that reported it (Trellix). Known aliases or associated groups are not mentioned.
## Activity Summary
The article describes an ongoing Advanced Persistent Threat (APT) campaign dubbed "OneClik." This campaign is notable for its use of Microsoft's ClickOnce technology as a primary delivery mechanism. The campaign is currently observed targeting critical infrastructure sectors.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Heavy reliance on **ClickOnce** installations/applications for initial access and execution.
- [Specific MITRE ATT&CK IDs are not provided in the excerpt.]
## Targeting
- Sectors: Energy, Oil and Gas Infrastructure
- Geography: Not specified in the excerpt.
- Victims: Not specifically named in the excerpt.
## Tools & Infrastructure
- **Malware Families:** The specific malware families are not detailed in the excerpt, but the campaign leverages the *OneClik* methodology via ClickOnce deployment.
- **Infrastructure:** Command and Control (C2) or specific IPs/domains are not specified in the excerpt.
## Implications
The targeting of Energy, Oil, and Gas (EOG) infrastructure indicates a high-impact threat actor with potential national security or economic disruption objectives. The use of ClickOnce suggests evasion techniques targeting traditional application whitelisting or execution monitoring.
## Mitigations
- Implement strict monitoring and controls around the execution of ClickOnce applications, especially from untrusted sources.
- Enhance defense-in-depth strategies for Energy and O&G infrastructure to withstand sophisticated APT intrusion attempts.