OneClik Campaign Exploits ClickOnce to Breach Energy Sector
Trellix's Advanced Research Center has uncovered a highly targeted Advanced Persistent Threat malware campaign, named OneClik, focused on entities within the energy, oil, and gas sectors. The attackers employ sophisticated phishing lures and exploit Microsoft ClickOnce, a.NET deployment tool, to execute malware under the guise of trusted applications. This campaign exhibits hallmarks consistent with Chinese-affiliated threat actors, according to the researchers.
Phishing emails played a central role in initial access, directing recipients to a camouflaged 'hardware analysis' site. Visitors are prompted to install a ClickOnce application, which transparently downloads a malicious.NET loader. This loader utilises AppDomainManager hijacking, manipulating.exe.config settings to inject a rogue DLL at runtime. By operating under dfsvc.exe, it achieves stealthy code execution without triggering user account controls.
The operation's modularity is evident in its three known variants—v1a, BPI-MDM, and v1d—all of which deploy a.NET loader, 'OneClikNet,' to deliver a Go‑based backdoor named 'RunnerBeacon.' Communication with command‑and‑control servers occurs via legitimate AWS services such as CloudFront, API Gateway, and Lambda, complicating attribution and detection.
ADVERTISEMENT
Researchers traced an earlier variant of the RunnerBeacon loader to a Middle Eastern oil and gas target in September 2023, suggesting the campaign has persisted for at least nine months. The clustering of infrastructure and code suggests a long‑term espionage focus on critical energy sector infrastructure.
OneClik typifies the 'living off the land' tactic trend among APT actors, embedding malicious activity within legitimate system processes. By co‑opting ClickOnce workflows, the actors evade conventional security checks and minimise forensic footprints. The use of AppDomainManager hijacking—aligned with MITRE's T1574.014 technique—illustrates both creativity and sophistication.
Operational resilience is tailored into each variant. Anti‑analysis safeguards such as anti‑debugging loops and sandbox escape routines indicate a degree of maturation across successive iterations. Furthermore, by leveraging AWS-hosted C2 infrastructure, each variant masks communications behind widely trusted cloud domains.
Trellix has not publicly named specific organisations but indicates that the campaign spans multiple countries and facilities in the energy domain. The attack chain—from phishing to ClickOnce deployment, loader injection, and backdoor communication—illustrates a fully developed espionage suite with lateral movement and data exfiltration capabilities.
While the activity has been linked to Chinese-affiliated actors, attribution remains cautious. Analysts point to overlapping techniques with earlier campaigns, including AppDomainManager abuse and cloud‑based C2 obfuscation, which demonstrate a persistent, strategic push into energy sector espionage.
The growing popularity of living‑off‑the‑land techniques highlights a broader shift in APT methodology: adversaries are increasingly embedding within legitimate enterprise ecosystems, evading sandbox detection and legacy cybersecurity measures. OneClik's use of ClickOnce is a prime example of tool abuse—repurposing software deployment mechanisms as vectors for stealth attacks.
Effective detection of emerging variants will require advanced behavioural analysis and cloud traffic monitoring. Security teams are advised to scrutinise unusual ClickOnce manifest downloads, monitor dfsvc.exe processes for anomalous activity, and adopt isolation techniques for unfamiliar.application installations. Deep packet inspection combined with endpoint detection of loading behaviours may also help identify lateral movement attempts using RunnerBeacon.
The disclosure of OneClik, aligned with rising living‑off‑the‑land APT operations, marks a pivotal moment for industrial cybersecurity. By weaponising trusted deployment frameworks, threat actors are escalating their ability to remain undetected within critical infrastructure for extended periods. As such, collaborative threat intelligence, updated detection strategies, and heightened phishing resilience are imperative to combat these stealth campaigns.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Zawya
11 hours ago
- Zawya
Deloitte and AWS expand alliance to accelerate digital transformation across the Middle East
AWS investment in collaboration with Deloitte to expand talent, build capabilities, and support large-scale business transformation in the Middle East Dubai, United Arab Emirates – Deloitte Middle East and Amazon Web Services (AWS) have announced a significant expansion of their strategic alliance with plans to deliver $1 billion worth of services by 2030, accelerating digital transformation across the Middle East. The milestone agreement includes investments by both parties to scale regional capabilities, support local cloud adoption, and unlock new growth opportunities across key sectors. This move builds on Deloitte and AWS's long-standing global collaboration and reflects a shared commitment to helping businesses in the region embrace emerging technologies such as generative AI, data analytics, and secure cloud infrastructure. The initiative was officially kicked off at a meeting held at Deloitte's Middle East offices in Dubai, where Rashid Bashir, Technology & Transformation Leader at Deloitte Middle East, met with Tanuja Randery, Managing Director for Europe, Middle East & Africa at AWS, and their leadership teams. This expanded regional collaboration will focus on helping enterprises modernize their core operations, increase agility, and drive innovation through cloud-native technologies and an AI-first approach. Deloitte will continue to grow its network of AWS-certified practitioners in the Middle East and invest in building dedicated Centers of Excellence to support complex transformation needs. Rashid Bashir, Technology & Transformation Leader at Deloitte Middle East, said: 'This initiative is a major step forward in our mission to drive large-scale transformation for organizations across the region. By deepening our alliance with AWS, we are not only investing in advanced technologies but also in the talent and tools that local businesses need to thrive. Together, we will help clients accelerate innovation, build resilience, and unlock long-term value through cloud and AI adoption at scale – starting right here in the Middle East.' Through this initiative, Deloitte and AWS will work closely with clients across sectors such as banking, energy, public services, and healthcare, combining Deloitte's deep industry insight with AWS's cutting-edge capabilities. Core focus areas will include cloud strategy and architecture, application modernization, AI development and integration, cybersecurity, and governance. "This collaboration means Deloitte and AWS can bring their proven methodology for industry solutions to customers in the Middle East. Customers can look forward to significantly accelerating the pace of their bold transformation projects by having a partner which will stay with them from inception to value realization," said Tanuja Randery, Managing Director for Europe, Middle East & Africa at AWS. This builds on the success of similar collaborations in Europe and Africa, where hundreds of clients have already benefited from end-to-end support in their digital journeys. As demand for trusted, scalable transformation partners continues to grow, the alliance between Deloitte and AWS is set to play a key role in shaping the region's digital future. -Ends- © 2025 Deloitte & Touche (M.E.). All rights reserved. In this press release references to 'Deloitte' are references to one or more of Deloitte Touche Tohmatsu Limited ('DTTL') a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of DTTL and its member firms. The information contained in this press release is correct at the time of going to press. About Deloitte & Touche (M.E.) LLP: Deloitte & Touche (M.E.) LLP ('DME') is the affiliate for the territories of the Middle East and Cyprus of Deloitte NSE LLP ('NSE'), a UK limited liability partnership and member firms of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ('DTTL'). DME is a leading professional services organization established in the Middle East region with uninterrupted presence since 1926. DME's presence in the Middle East region is established through its affiliated independent legal entities, which are licensed to operate and to provide services under the applicable laws and regulations of the relevant country. DME's affiliates and related entities cannot oblige each other and/or DME, and when providing services, each affiliate and related entity engages directly and independently with its own clients and shall only be liable for its own acts or omissions and not those of any other affiliate. DME provides services throughout 23 offices in 15 countries with more than 7,000 partners, directors and staff. About Deloitte: Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ('DTTL'), its global network of member firms, and their related entities (collectively, the 'Deloitte organization'). DTTL (also referred to as 'Deloitte Global') and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm sand related entity is liable only for its own acts and omissions, and not those of each other. DTTL, NSE and DME do not provide services to clients. Please see to learn more. Deloitte provides Audit & Assurance, Tax & Legal and Consulting and related services to nearly 90% of the Fortune Global 500® and thousands of private companies. Our professionals deliver measurable and lasting results that help reinforce public trust in capital markets, enable clients to transform and thrive, and lead the way toward a stronger economy, a more equitable society and a sustainable world. Building on its 175-plus year history, Deloitte spans more than 150 countries and territories. Learn how Deloitte's approximately 457,000 people worldwide make an impact that matters at The information contained in this press release is correct at the time of going to press. Bassel Barakat External Communications |PR and Media Lead Deloitte & Touche (M.E.) bbarakat@ |
Arabian Post
12 hours ago
- Arabian Post
OneClik Campaign Exploits ClickOnce to Breach Energy Sector
Trellix's Advanced Research Center has uncovered a highly targeted Advanced Persistent Threat malware campaign, named OneClik, focused on entities within the energy, oil, and gas sectors. The attackers employ sophisticated phishing lures and exploit Microsoft ClickOnce, deployment tool, to execute malware under the guise of trusted applications. This campaign exhibits hallmarks consistent with Chinese-affiliated threat actors, according to the researchers. Phishing emails played a central role in initial access, directing recipients to a camouflaged 'hardware analysis' site. Visitors are prompted to install a ClickOnce application, which transparently downloads a loader. This loader utilises AppDomainManager hijacking, settings to inject a rogue DLL at runtime. By operating under it achieves stealthy code execution without triggering user account controls. The operation's modularity is evident in its three known variants—v1a, BPI-MDM, and v1d—all of which deploy loader, 'OneClikNet,' to deliver a Go‑based backdoor named 'RunnerBeacon.' Communication with command‑and‑control servers occurs via legitimate AWS services such as CloudFront, API Gateway, and Lambda, complicating attribution and detection. ADVERTISEMENT Researchers traced an earlier variant of the RunnerBeacon loader to a Middle Eastern oil and gas target in September 2023, suggesting the campaign has persisted for at least nine months. The clustering of infrastructure and code suggests a long‑term espionage focus on critical energy sector infrastructure. OneClik typifies the 'living off the land' tactic trend among APT actors, embedding malicious activity within legitimate system processes. By co‑opting ClickOnce workflows, the actors evade conventional security checks and minimise forensic footprints. The use of AppDomainManager hijacking—aligned with MITRE's T1574.014 technique—illustrates both creativity and sophistication. Operational resilience is tailored into each variant. Anti‑analysis safeguards such as anti‑debugging loops and sandbox escape routines indicate a degree of maturation across successive iterations. Furthermore, by leveraging AWS-hosted C2 infrastructure, each variant masks communications behind widely trusted cloud domains. Trellix has not publicly named specific organisations but indicates that the campaign spans multiple countries and facilities in the energy domain. The attack chain—from phishing to ClickOnce deployment, loader injection, and backdoor communication—illustrates a fully developed espionage suite with lateral movement and data exfiltration capabilities. While the activity has been linked to Chinese-affiliated actors, attribution remains cautious. Analysts point to overlapping techniques with earlier campaigns, including AppDomainManager abuse and cloud‑based C2 obfuscation, which demonstrate a persistent, strategic push into energy sector espionage. The growing popularity of living‑off‑the‑land techniques highlights a broader shift in APT methodology: adversaries are increasingly embedding within legitimate enterprise ecosystems, evading sandbox detection and legacy cybersecurity measures. OneClik's use of ClickOnce is a prime example of tool abuse—repurposing software deployment mechanisms as vectors for stealth attacks. Effective detection of emerging variants will require advanced behavioural analysis and cloud traffic monitoring. Security teams are advised to scrutinise unusual ClickOnce manifest downloads, monitor processes for anomalous activity, and adopt isolation techniques for installations. Deep packet inspection combined with endpoint detection of loading behaviours may also help identify lateral movement attempts using RunnerBeacon. The disclosure of OneClik, aligned with rising living‑off‑the‑land APT operations, marks a pivotal moment for industrial cybersecurity. By weaponising trusted deployment frameworks, threat actors are escalating their ability to remain undetected within critical infrastructure for extended periods. As such, collaborative threat intelligence, updated detection strategies, and heightened phishing resilience are imperative to combat these stealth campaigns.
TECHx
13 hours ago
- TECHx
Huawei Reveals Telecom Growth Strategy at MWC Shanghai
Home » Smart Sectors » Telecom » Huawei Reveals Telecom Growth Strategy at MWC Shanghai During MWC Shanghai 2025, Huawei revealed four strategic pathways to support telecom growth amid increasing market maturity and stagnating revenue. Eric Xu, Huawei's Deputy Chairman and Rotating Chairman, addressed industry leaders in a keynote speech. He acknowledged that while telecom has grown rapidly for decades, the sector now faces slower development as basic consumer needs are largely met in major markets. Xu outlined four approaches to drive sustainable growth. • He highlighted high-value user segments, such as food delivery riders and livestreamers. For example, delivery riders grew from 30 million in 2020 to 70 million in 2024, with projections reaching 160 million by 2030. These users consume more data and minutes, with ARPU 1.6 times higher than average. • Xu reported that livestreaming professionals now number around 50 million, up from 10 million in 2022, and may reach 130 million by 2030. These users consume five times more data and produce four times more ARPU than average. Next, Xu addressed video consumption. He noted that although video accounts for 50% of mobile traffic, high-definition video usage remains low. In top-tier Chinese cities, only 22% of mobile video traffic is 1080p or higher. He called for ecosystem collaboration with content providers, device makers, and equipment vendors to overcome pricing and technical barriers. Xu also discussed 5G-connected vehicles. He noted that only 30% of new cars sold in China by 2025 are expected to support 5G. He urged industry players to work together to reduce costs, especially those related to IP rights and T-Box components. He proposed a dual-connectivity model B2C for cockpit functions and B2B for T-Box systems. He emphasized that autonomous vehicles must operate independently without network reliance. Lastly, Xu revealed potential in expanding Fiber to the Room (FTTR) to small and micro businesses. He said over 500 million such businesses worldwide face challenges like poor Wi-Fi and limited connectivity. FTTR, already used by 75 million in China, could meet these needs. In contrast, only 500,000 FTTR users exist globally outside China. Xu concluded by emphasizing tailored strategies: each carrier must identify its own path based on unique market and competitive conditions. He stated that Huawei is ready to support carriers in building long-term, sustainable growth strategies.
