“OneClik” APT Unmasked: China-Linked Campaign Abuses Microsoft ClickOnce & AWS Cloud to Target Energy Sector
Cybercriminals have launched a large-scale campaign dubbed OneClik, targeting companies in the energy, oil, and gas sectors. The attack leverages Microsoft’s legitimate ClickOnce technology and a custom-designed backdoor known as RunnerBeacon, allowing threat actors to maintain a stealthy presence within targeted systems and evade detection.
ClickOnce is a deployment technology designed to install and automatically update Windows applications with minimal user interaction. Exploiting this mechanism, attackers distribute malicious payloads disguised as legitimate applications.
Researchers at Trellix have analyzed three iterations of the campaign—v1a, BPI-MDM, and v1d. All variants deploy the RunnerBeacon backdoor, developed in the Go programming language and delivered via the OneClikNet loader on the .NET platform. With each version, adversaries refined their evasion techniques and further obscured their infrastructure.
The campaign typically begins with a phishing email containing a link to a counterfeit equipment analysis website hosted within Microsoft Azure’s cloud infrastructure. Victims are prompted to download a .APPLICATION file—essentially a ClickOnce deployment manifest—camouflaged as a trusted application. The application executes via the dfsvc.exe system process, thereby bypassing standard security warnings.
Once launched, the malware injects itself into the .NET application using the AppDomainManager technique, enabling the execution of malicious code in place of standard dependencies. To conceal communication with its command-and-control (C2) server, the attackers employ Amazon cloud services—CloudFront, API Gateway, and Lambda—disguising their malicious traffic as routine cloud interactions.
RunnerBeacon encrypts all traffic using the RC4 algorithm and utilizes the MessagePack serialization format. Its capabilities include shell command execution, file management, port scanning, and establishing proxy tunnels via SOCKS5. Additional features include process injection and privilege escalation preparation.
Experts note the resemblance between RunnerBeacon and the well-known Geacon toolset, also written in Go. There is reason to believe RunnerBeacon may be a modified derivative, tailored for clandestine operations in cloud environments.
While the OneClik campaign was formally identified in March of this year, individual components had been observed earlier. In September 2023, a similar loader was discovered in a Middle Eastern oil and gas company.
The techniques employed—cloud infrastructure abuse, .NET process injection, and encrypted payload delivery—align closely with those previously observed in Chinese cyber espionage operations. However, current evidence is insufficient to definitively attribute the campaign.
Trellix has published a list of indicators of compromise (IOCs), including phishing emails, malicious loaders, executables, domains, and configuration artifacts, enabling organizations to detect and neutralize the threat.
