OneClik Malware: Unleashing Threats in the Energy Sector

Summary Points

1. OneClik Campaign: Cybersecurity researchers have identified a new targeted campaign called OneClik, utilizing Microsoft’s ClickOnce technology and sophisticated Golang backdoors to infiltrate energy, oil, and gas sectors, suggesting ties to Chinese-affiliated threat actors.

2. Exploitation of ClickOnce: The attack leverages ClickOnce’s ability to execute malicious payloads without elevation rights, obfuscating operations via the trusted binary "dfsvc.exe" to deliver malware through phishing emails linked to fake hardware analysis websites.

3. RunnerBeacon Features: The Golang-based backdoor, RunnerBeacon, exhibits advanced capabilities like process enumeration, file operations, and network manipulation, featuring anti-analysis methods to evade detection, and bears structural resemblances to known Go-based malware like Cobalt Strike beacons.

4. Recent Variants and Trends: Three comprehensive variants of OneClik have emerged since March 2025, evolving in stealth and effectiveness, while a related campaign by APT-Q-14 has exploited XSS vulnerabilities to distribute ClickOnce apps, emphasizing a growing trend of sophisticated, low-profile cyber threats.

Underlying Problem

Recent cybersecurity revelations have surfaced concerning a sophisticated campaign named OneClik, which exploits Microsoft’s ClickOnce software deployment technology to infiltrate organizations in the energy, oil, and gas sectors. Researchers from Trellix, Nico Paulo Yturriaga and Pham Duy Phuc, caution that the campaign exhibits traits consistent with Chinese-affiliated threat actors, albeit without definitive attribution. Their analysis illustrates a troubling evolution in cyberattack methodologies—specifically, a pivot towards “living-off-the-land” tactics that seamlessly integrate malicious operations within trusted cloud and enterprise tools to circumvent traditional detection frameworks.

The campaign initiates with phishing emails that lead victims to a fraudulent hardware analysis website hosting a ClickOnce application. Upon execution, this application employs a .NET-based loader, OneClikNet, which orchestrates the deployment of a Golang backdoor called RunnerBeacon. This backdoor is crafted for stealthy communication with attacker-controlled infrastructure via frameworks like Amazon Web Services. RunnerBeacon’s capabilities include file manipulation, process enumeration, shell command execution, and lateral movement, all while utilizing anti-analysis measures to elude detection. Notably, variants of OneClik, like v1a and BPI-MDM, have surfaced, showcasing gradually enhanced evasion techniques and highlighting the ongoing arms race in cybersecurity. With ongoing concerns about zero-day vulnerabilities exploited by various threat groups—such as APT-Q-14—this incident underscores the urgent need for robust defenses against increasingly complex cyber threats.

Potential Risks

The OneClik campaign poses significant risks not only to its primary targets within the energy, oil, and gas sectors but also to a broader spectrum of businesses, users, and organizations that may inadvertently fall victim to its sophisticated tactics. By employing Microsoft’s ClickOnce technology, which is designed for trusted application deployment, threat actors can seamlessly inject malicious code into seemingly benign updates, effectively circumventing established cybersecurity defenses. This obfuscation can lead to widespread compromise as the malware, such as the RunnerBeacon backdoor, facilitates lateral movement across networks, allowing attackers to exploit vulnerabilities in interconnected systems. Consequently, businesses that rely on shared digital infrastructures could face severe operational disruptions, financial losses, and reputational damage stemming from data breaches and unauthorized access to sensitive information. As more organizations grapple with the evolving landscape of cyber threats, the risk of collateral damage increases, making robust cybersecurity measures and vigilance essential to mitigate potential fallout.

Possible Actions

Timely remediation is crucial in mitigating threats posed by OneClik Malware, particularly given its sophisticated mechanisms targeting the energy sector.

Mitigation Steps

1. Immediate Isolation: Disconnect affected systems from the network.
2. Threat Detection: Deploy advanced endpoint detection and response (EDR) solutions to identify malware signatures.
3. Patch Management: Regularly update all software, focusing on Microsoft products and Golang frameworks.
4. User Education: Conduct training to raise awareness about phishing, especially targeting ClickOnce links.
5. Access Controls: Implement strict user permissions and monitor access logs for anomalies.
6. Incident Response Plan: Develop and regularly test a comprehensive incident response strategy tailored for malware outbreaks.
7. Threat Intelligence: Subscribe to threat intelligence feeds to stay updated on similar vulnerabilities.
8. Data Backup: Ensure regular backups of critical data, and verify recovery procedures.

NIST Guidance
The NIST Cybersecurity Framework (CSF) emphasizes proactive risk management. Specifically, organizations should refer to NIST SP 800-53 for detailed security and privacy controls to address malware threats effectively.

Advance Your Cyber Knowledge

Discover cutting-edge developments in Emerging Tech and industry Insights.

Understand foundational security frameworks via NIST CSF on Wikipedia.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1