Full Report
Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsoft's ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas sectors. "The campaign exhibits characteristics aligned with Chinese-affiliated threat actors, though attribution remains cautious," Trellix researchers Nico Paulo
Analysis Summary
# Threat Actor: OneClik Campaign (Chinese-affiliated, attributed cautiously)
## Attribution & Identity
* **Identification:** Threat activity dubbed "OneClik" campaign.
* **Attribution:** Exhibit characteristics aligned with Chinese-affiliated threat actors, though formal attribution remains cautious.
* **Associated Groups:** The underlying backdoor, RunnerBeacon, shows structural and functional similarities to Go-based Cobalt Strike beacons like the Geacon family, suggesting it may be an evolved fork or privately modified variant.
* **Note:** The article also discusses APT-Q-14 and DarkHotel (APT-C-06), which employ similar ClickOnce techniques but are separate threat groups detailed in the context.
## Activity Summary
OneClik is a campaign leveraging Microsoft's ClickOnce software deployment technology to deliver bespoke Golang backdoors. The attack chain starts with phishing emails containing a link to a fake hardware analysis website, distributing a ClickOnce application. This app executes via the trusted Windows binary `dfsvc.exe`, utilizing AppDomainManager injection to ultimately deploy the RunnerBeacon backdoor in memory. Three variants (v1a, BPI-MDM, and v1d) were observed in March 2025, showing progressive stealth improvements. A variant of RunnerBeacon was found targeting an oil and gas company in the Middle East in September 2023.
## Tactics, Techniques & Procedures
* **Initial Access/Execution:** Phishing emails leading to a malicious website hosting a ClickOnce application.
* **Execution Abuse:** Abuse of Microsoft ClickOnce software deployment technology to execute code via the trusted Windows binary `dfsvc.exe` (MITRE ATT&CK: T1127.002 - OS Credential Dumping: Stored Credential Files/Exploiting Trusted Binary).
* **Defense Evasion/Execution:** AppDomainManager injection to launch malicious code.
* **Defense Evasion:** Execution of encrypted shellcode in memory.
* **Command and Control:** C2 communication via HTTP(s), WebSockets, raw TCP, and SMB named pipes.
* **Persistence/Privilege Escalation:** Privilege escalation achieved via token theft and impersonation.
* **Lateral Movement:** Facilitated via SOCKS5 protocol (proxying/routing) and network operations (port scanning/forwarding).
* **Anti-Analysis:** Backdoor incorporates anti-analysis features.
* **Linguistics:** Employing "living-off-the-land" tactics using cloud and enterprise tooling.
## Targeting
* **Sectors:** Energy, Oil, and Gas sectors.
* **Geography:** Observed targeting infrastructure in the Middle East.
* **Victims:** Companies within the energy, oil, and gas sectors.
## Tools & Infrastructure
* **Malware Families:**
* **OneClikNet:** A .NET-based loader.
* **RunnerBeacon:** A sophisticated Go-based backdoor (parallels Cobalt Strike beacons like Geacon/Geacon Pro).
* **Infrastructure:** Command-and-Control infrastructure obscured using Amazon Web Services (AWS) cloud services.
## Implications
This campaign indicates a sophisticated focus on critical infrastructure sectors (Energy/O&G) utilizing modern tooling (Golang) and legitimate software deployment mechanisms (ClickOnce) to evade traditional security controls. The reliance on cloud services for C2 further complicates detection and disruption efforts, reflecting a broader trend toward stealthy, cloud-friendly operations.
## Mitigations
* Monitor for the execution of applications launched as child processes of `dfsvc.exe`, especially those leveraging techniques like AppDomainManager injection.
* Implement strict monitoring and control over ClickOnce application deployment, treating them as high-risk executables unless explicitly whitelisted.
* Analyze network traffic patterns for C2 communications using non-standard protocols over HTTP(S), WebSockets, raw TCP, and SMB named pipes associated with backdoors.
* Review endpoint logs for in-memory code execution and shellcode deployment, particularly when linked to initial execution via trusted Windows binaries.