Pierluigi Paganini
June 27, 2025
Trellix cybersecurity researchers uncovered a new APT malware campaign, OneClik, targeting the energy, oil, and gas sectors. It abuses Microsoft’s ClickOnce deployment tech and custom Golang backdoors. While links to China-affiliated actors are suspected, attribution remains cautious.
Threat actors behind the campaign use stealthy “living off the land” tactics and cloud services to evade detection. They deploy Golang backdoors via .NET loaders abusing Microsoft ClickOnce, the campaign shows progressive evolution in evasion techniques, including anti-debugging and sandbox detection. Communication is hidden behind AWS services, making detection highly challenging.
“This stealthy operation unfolds across three distinct variants (v1a,BPI-MDM, andv1d), each using a .NET-based loader (“OneClikNet”) to deploy a sophisticated Golanguage backdoor (“RunnerBeacon”) that communicates with threat actor infrastructure hidden behind legitimate AWS cloud services [3] (CloudFront, API Gateway, Lambda).” reads the report published by Trellix. “This makes network-based detection nearly impossible without decryption or deep behavioral analysis.”
The OneClik campaign abuses Microsoft’s ClickOnce, normally used for easy app installation, to stealthily deliver malware. Attackers send phishing emails with links to fake “hardware analysis” tools. When clicked, a disguised ClickOnce app silently installs malware using trusted Windows processes (like dfsvc.exe) to avoid raising alarms.
By hijacking the .NET configuration (AppDomainManager injection), attackers make legitimate apps load malicious code. This method avoids requiring admin rights and blends in with normal system activity. Eventually, it loads an advanced Golang backdoor called RunnerBeacon, allowing attackers to spy on or control infected systems.
RunnerBeacon communicates with C2 servers via HTTP, WebSockets, TCP, and SMB. It can execute commands, manage files, escalate privileges, and move laterally. It includes anti-analysis features and supports port scanning, forwarding, and SOCKS5 proxying. Its design resembles Geacon, a Go variant of Cobalt Strike, suggesting it may be a stealthier, cloud-optimized fork or private version.
The campaign’s C2 infrastructure cleverly abuses AWS services to masquerade into legitimate traffic. In v1a variant, the beacon communicated via a CloudFront domain and API Gateway in eu-west-2, making its traffic indistinguishable from normal CDN use. In v1d variant, AWS usage evolved, beacons hit an AWS Lambda function URL as their callback endpoint, meaning the entire C2 channel operated through trusted AWS domains. This “hide in the cloud” tactic makes detection extremely difficult, as defenders must decrypt SSL or block large swaths of AWS traffic, which is rarely feasible. Over time, v1a variant relied on static AES keys, minimal sandbox checks, and no anti-debugging. BPI-MDM added debugger detection and local second-stage loading. The latest v1d includes robust environment checks—domain/Azure AD validation, memory checks, file deletion and uses fully serverless C2 via Lambda. Throughout all variants, the attack leverages .NET AppDomain hijacking for stealth and persistence.
The RunnerBeacon loader was found in a Middle Eastern oil and gas target in September 2023, sharing 99% of its code with OneClik, suggesting a long-term campaign aimed at the energy sector. It uses .NET AppDomainManager hijacking, in-memory AES-encrypted payloads, and cloud infrastructure (AWS, Alibaba) to evade detection—techniques often linked to Chinese APTs. While attribution to APT41 remains low-confidence, defenders should focus on recognizing these persistent TTPs.
“Notably, OneClik’s’s use of a .NET-based loader, AppDomainManager hijacking, and in-memory decryption echoes techniques reported in Chinese APT operations.” concludes the report that also includes indicators of compromise (IoCs). “Despite the strong overlap in techniques, we emphasize a cautious attribution stance. We assess a possible with low-confidence link between OneClik and Chinese threat actors such as APT41. In the absence of “smoking gun” indicators, we refrain from definitively attributing OneClik to any specific threat actor or nation.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, backdoor)
