OneClik: Stealthy Malware Exploits ClickOnce and Cloud Infrastructure to Breach Energy Companies

Raluca Gheorghita June 30, 2025

June 2025 — A chilling wake-up call for energy sector cybersecurity

In late June 2025, cybersecurity researchers uncovered a sophisticated new threat targeting critical infrastructure: a malware campaign dubbed OneClik. This advanced persistent threat (APT) operation is notable not only for its technical sophistication, but for how seamlessly it blends into legitimate enterprise workflows — abusing Microsoft’s ClickOnce installer and Amazon Web Services (AWS) to infiltrate energy, oil, and gas companies with barely a trace.

OneClik is a textbook example of how modern attackers have adapted to hardened enterprise defenses. By hiding inside trusted deployment mechanisms and encrypted cloud traffic, it enables long-term espionage with minimal visibility. In short, it’s malware that looks like maintenance.

Why Critical Infrastructure Is Being Hit — Silently

Cyberattacks against energy infrastructure aren’t new — but they are becoming stealthier. As organizations improve perimeter defenses and detection systems, nation-state attackers are moving away from noisy malware or privilege escalation exploits and embracing “living-off-the-land” tactics. These operations leverage built-in tools, trusted applications, and cloud services to avoid suspicion.

The OneClik campaign exemplifies this strategy, embedding malware inside legitimate software installation flows and communicating via AWS — infrastructure so widely used that it’s often trusted by default. The result is an attack that can persist for months undetected, gathering intelligence or pre-positioning for future disruption.

The Attack: ClickOnce Abuse and Cloud-Based Command & Control

Initial Compromise: A Familiar Email, a Dangerous Click

The infection starts with a phishing email crafted to resemble internal communications — often directing employees to a “hardware analysis” portal. The link delivers a ClickOnce installer (.application file) disguised as a legitimate tool. Microsoft’s ClickOnce is designed for simple, user-level installations with minimal prompts — making it ideal for attackers seeking stealth.

Because ClickOnce apps run under the user context and don’t trigger UAC warnings, the malware executes with no red flags. Victims believe they’re installing a utility; instead, they’re running a malicious loader.

Stage Two: .NET Injection and Trusted Process Hijack

The installer leverages dfsvc.exe — a legitimate Microsoft process — to execute, and then injects malicious code through AppDomainManager hijacking. By modifying the app’s configuration file, OneClik forces the .NET runtime to load a remote attacker-controlled DLL.

This code is injected into benign-looking processes like ZSATray.exe, making detection difficult. Ultimately, the malware executes under dfsvc.exe, a trusted Windows component.

🧠 Fun fact: Even security tools often ignore dfsvc.exe because it’s so commonly used for legitimate updates.

RunnerBeacon: A Powerful, Go-Based Backdoor

At the core of OneClik is RunnerBeacon, a modular backdoor written in Go that mimics Cobalt Strike’s capabilities. Once deployed, RunnerBeacon enables attackers to:

Browse, modify, or exfiltrate files
Execute remote commands or scripts
Steal tokens and escalate privileges
Scan networks and proxy traffic via SOCKS5
Evade detection via memory injection, anti-debugging, and environment checks

RunnerBeacon communicates over cloud services using HTTPS, WebSockets, raw TCP, and even SMB — all tunneled through legitimate AWS domains. This makes its traffic look like normal enterprise activity.

Variants and Evolution: Getting Smarter, Staying Invisible

Researchers have tracked at least three OneClik variants:

v1a – Basic in-memory execution and evasion
BPI-MDM – Adds anti-debugging and runtime analysis resistance
v1d – Includes VM/sandbox detection, RAM checks, and file self-deletion

All variants use the same loader architecture and backdoor, but the latest versions show marked improvements in stealth and forensic resistance. These refinements suggest active development by skilled threat actors, likely tied to a state-sponsored group.

Attribution: All Signs Point East — But No Smoking Gun

While attribution remains uncertain, code similarities and tactics suggest links to Chinese APTs, specifically APT41. However, other nation-state actors have used similar ClickOnce abuses, including the DarkHotel group, which is believed to operate out of South Korea.

What’s clear is that this is a targeted campaign. OneClik isn’t being sprayed across the internet — it’s going after high-value energy infrastructure, including oil and gas firms in the Middle East, North America, and Asia.

Why This Matters: Risks Beyond the Malware

1. Stealthy, Long-Term Espionage

OneClik is designed to remain undetected for months, siphoning off confidential data and intellectual property via encrypted cloud channels.

2. Threat to Operations

While OneClik focuses on espionage, any foothold in an IT network could be used to pivot into OT systems, potentially leading to outages or safety risks.

3. Loss of Competitive and Strategic Intelligence

Access to proprietary research, exploration data, or negotiation strategies can tip the economic balance — especially if shared with rival state-owned enterprises.

4. Blind Spots in Traditional Security

Because it operates through legitimate processes and trusted cloud services, OneClik evades firewalls, antivirus tools, and even SSL inspection — unless organizations are watching for behavior, not just binaries.

Defensive Recommendations

✅ Harden ClickOnce Usage

Disable or restrict ClickOnce apps via Group Policy
Block .application files from launching by default
Train users to treat software install prompts with suspicion

✅ Monitor the Cloud — Even the “Good” Parts

Flag anomalous outbound traffic to AWS or unexpected Lambda usage
Employ encrypted traffic analysis and DNS monitoring
Implement Zero Trust for cloud access

✅ Deploy Behavior-Based Endpoint Protection

Use EDR tools that flag DLL injections, debugging checks, and unusual dfsvc.exe activity
Log all .NET and PowerShell events for forensic review

✅ Segment Networks and Enforce Least Privilege

Strongly separate IT and OT environments
Require multi-factor authentication and jump hosts for access
Audit service accounts and tokens to prevent lateral movement

✅ Stay Patched and Collaborate

Patch software deployment tools and email systems regularly
Share Indicators of Compromise (IoCs) with cloud providers and industry ISACs
Monitor your own cloud environments for misuse

Security Is a Team Sport: Awareness and Threat Hunting

OneClik’s success relies on stealth and inaction. Don’t give it either.

Educate your users — especially those outside of IT — about phishing tactics.
Participate in ISACs and cybersecurity forums to learn from others.
Hunt proactively for traces of dfsvc.exe misuse, .NET injection patterns, or RunnerBeacon signatures.

And above all, assume that trusted activity can be weaponized.

Conclusion: Trusted Tools, Untrusted Outcomes

The OneClik campaign represents a new era in cyber threats — where the malware looks like maintenance and command and control is hidden in the cloud. It’s a powerful reminder that the tools we trust most can be turned against us.

For energy companies and critical infrastructure providers, the message is clear: