• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

 | 

Experts uncover critical flaws in Kigen eSIM technology affecting billions

 | 

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

 | 

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Hacking
  • Intelligence
  • Security
  • OneClik APT campaign targets energy sector with stealthy backdoors

OneClik APT campaign targets energy sector with stealthy backdoors

Pierluigi Paganini June 27, 2025

A OneClik campaign, likely carried out by China-linked actor, targets energy sectors using stealthy ClickOnce and Golang backdoors.

Trellix cybersecurity researchers uncovered a new APT malware campaign, OneClik, targeting the energy, oil, and gas sectors. It abuses Microsoft’s ClickOnce deployment tech and custom Golang backdoors. While links to China-affiliated actors are suspected, attribution remains cautious.

Threat actors behind the campaign use stealthy “living off the land” tactics and cloud services to evade detection. They deploy Golang backdoors via .NET loaders abusing Microsoft ClickOnce, the campaign shows progressive evolution in evasion techniques, including anti-debugging and sandbox detection. Communication is hidden behind AWS services, making detection highly challenging.

“This stealthy operation unfolds across three distinct variants (v1a,BPI-MDM, andv1d), each using a .NET-based loader (“OneClikNet”) to deploy a sophisticated Golanguage backdoor (“RunnerBeacon”) that communicates with threat actor infrastructure hidden behind legitimate AWS cloud services [3] (CloudFront, API Gateway, Lambda).” reads the report published by Trellix. “This makes network-based detection nearly impossible without decryption or deep behavioral analysis.”

The OneClik campaign abuses Microsoft’s ClickOnce, normally used for easy app installation, to stealthily deliver malware. Attackers send phishing emails with links to fake “hardware analysis” tools. When clicked, a disguised ClickOnce app silently installs malware using trusted Windows processes (like dfsvc.exe) to avoid raising alarms.

ClickOnce APT malware campaign

By hijacking the .NET configuration (AppDomainManager injection), attackers make legitimate apps load malicious code. This method avoids requiring admin rights and blends in with normal system activity. Eventually, it loads an advanced Golang backdoor called RunnerBeacon, allowing attackers to spy on or control infected systems.

RunnerBeacon communicates with C2 servers via HTTP, WebSockets, TCP, and SMB. It can execute commands, manage files, escalate privileges, and move laterally. It includes anti-analysis features and supports port scanning, forwarding, and SOCKS5 proxying. Its design resembles Geacon, a Go variant of Cobalt Strike, suggesting it may be a stealthier, cloud-optimized fork or private version.

The campaign’s C2 infrastructure cleverly abuses AWS services to masquerade into legitimate traffic. In v1a variant, the beacon communicated via a CloudFront domain and API Gateway in eu-west-2, making its traffic indistinguishable from normal CDN use. In v1d variant, AWS usage evolved, beacons hit an AWS Lambda function URL as their callback endpoint, meaning the entire C2 channel operated through trusted AWS domains. This “hide in the cloud” tactic makes detection extremely difficult, as defenders must decrypt SSL or block large swaths of AWS traffic, which is rarely feasible. Over time, v1a variant relied on static AES keys, minimal sandbox checks, and no anti-debugging. BPI-MDM added debugger detection and local second-stage loading. The latest v1d includes robust environment checks—domain/Azure AD validation, memory checks, file deletion and uses fully serverless C2 via Lambda. Throughout all variants, the attack leverages .NET AppDomain hijacking for stealth and persistence.

The RunnerBeacon loader was found in a Middle Eastern oil and gas target in September 2023, sharing 99% of its code with OneClik, suggesting a long-term campaign aimed at the energy sector. It uses .NET AppDomainManager hijacking, in-memory AES-encrypted payloads, and cloud infrastructure (AWS, Alibaba) to evade detection—techniques often linked to Chinese APTs. While attribution to APT41 remains low-confidence, defenders should focus on recognizing these persistent TTPs.

“Notably, OneClik’s’s use of a .NET-based loader, AppDomainManager hijacking, and in-memory decryption echoes techniques reported in Chinese APT operations.” concludes the report that also includes indicators of compromise (IoCs). “Despite the strong overlap in techniques, we emphasize a cautious attribution stance. We assess a possible with low-confidence link between OneClik and Chinese threat actors such as APT41. In the absence of “smoking gun” indicators, we refrain from definitively attributing OneClik to any specific threat actor or nation.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)


facebook linkedin twitter

APT ClickOnce APT malware campaign Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 14, 2025
Global Louis Vuitton data breach impacts UK, South Korea, and Turkey
Read more
Pierluigi Paganini July 14, 2025
Experts uncover critical flaws in Kigen eSIM technology affecting billions
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

    Data Breach / July 14, 2025

    Experts uncover critical flaws in Kigen eSIM technology affecting billions

    Security / July 14, 2025

    Spain awarded €12.3 million in contracts to Huawei

    Intelligence / July 14, 2025

    Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

    Security / July 13, 2025

    Wing FTP Server flaw actively exploited shortly after technical details were made public

    Hacking / July 13, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT