A new and sophisticated malware campaign has emerged, leveraging Microsoft’s ClickOnce deployment technology alongside custom-built Golang backdoors to infiltrate organizations within the energy, oil, and gas industries. Dubbed OneClik, this attack underscores an evolving threat landscape where adversaries exploit trusted enterprise tools to deliver stealthy payloads.
Security researchers have observed that the campaign’s characteristics are consistent with tactics previously associated with state-linked actors in Northeast Asia. However, formal attribution has not been confirmed. The operation is notable for its use of living-off-the-land techniques, where malicious activities are cleverly blended into legitimate cloud services and enterprise infrastructure to bypass conventional detection methods.
At the core of these attacks is the abuse of Microsoft ClickOnce, a technology designed to simplify the deployment of Windows applications. While ClickOnce is meant to provide seamless, low-friction installation for end users without requiring administrative permissions, it can be misused to execute malicious code via trusted Windows processes like dfsvc.exe.
In these attacks, phishing emails direct victims to fake websites that host ClickOnce applications. Once launched, these applications deploy a .NET-based loader known as OneClikNet, which utilizes AppDomainManager injection to execute encrypted shellcode. This shellcode, in turn, loads a Go-based implant named RunnerBeacon directly into memory.
RunnerBeacon is a versatile backdoor that supports multiple communication protocols—including HTTPS, WebSockets, TCP, and SMB named pipes—to maintain contact with command-and-control (C2) servers hidden behind Amazon Web Services (AWS) infrastructure. Its capabilities include file manipulation, process enumeration and termination, shell command execution, privilege escalation through token theft and impersonation, lateral movement, network scanning, port forwarding, and SOCKS5 proxy functionality. Anti-analysis features further enhance its ability to evade detection.
Analysis suggests RunnerBeacon shares significant similarities with known Golang-based Cobalt Strike forks like Geacon, indicating it may be a customized variant designed for stealth and compatibility with modern cloud environments.
The campaign has already exhibited multiple variants in 2025, each iteration refining its techniques to better evade defenses. Additionally, related threat activity has been observed exploiting zero-day vulnerabilities in webmail platforms, using cross-site scripting (XSS) flaws to trigger the silent download of malicious ClickOnce applications when a phishing email is opened. These attacks often deploy trojans that collect system information and communicate with attacker-controlled infrastructure for follow-on actions.
Further reports indicate overlaps between this activity and other operations linked to groups such as DarkHotel, which continue to target strategic sectors and deploy advanced techniques like Bring Your Own Vulnerable Driver (BYOVD) to disable security tools and execute malicious code.
These developments highlight the increasing complexity of modern cyber threats and the growing need for robust defenses against attacks that abuse trusted software and delivery mechanisms. Organizations are urged to review their exposure to ClickOnce applications, monitor for signs of unusual deployment activity, and strengthen their defenses against phishing and supply chain threats.
