OneClik Malware Hides In Plain Sight
Table of Contents
A New Breed of Cyber Intrusion
Cybersecurity experts have uncovered a highly targeted malware campaign known as OneClik. This operation is not your typical scattergun attack—it's a focused effort aimed squarely at high-value industries such as energy, oil, and gas. What makes OneClik noteworthy is its use of Microsoft's ClickOnce technology, a legitimate tool designed to make software deployment seamless for users. Instead, attackers have flipped it into a weapon for quietly delivering backdoors into critical systems.
Living Off the Land: The Attackers’ Evasive Strategy
Rather than relying on noisy malware that triggers alarms, OneClik takes a subtler approach. The campaign aligns with a broader industry trend known as "living-off-the-land" techniques—using trusted system tools and platforms to operate undetected. The attackers blend malicious processes into normal enterprise workflows, making detection extremely difficult. Though some characteristics suggest links to Chinese-affiliated threat groups, security analysts remain cautious about assigning blame.
From Phishing to Full Control
The attack chain begins with a deceptively simple phishing email. Victims are redirected to a fake website that mimics a legitimate hardware analysis tool. When visited, this site silently delivers a ClickOnce application. While this might seem harmless, the application is actually a .NET-based loader that triggers a complex chain of events. At the center of this chain is a powerful backdoor known as RunnerBeacon.
RunnerBeacon: The Core Implant
Built using the Go programming language, RunnerBeacon is designed for stealth and versatility. It communicates with its operators using various protocols, including HTTPS, raw TCP, and even Windows-named pipes. This allows the malware to carry out a wide range of activities: reading and modifying files, scanning internal networks, executing shell commands, stealing tokens for privilege escalation, and moving laterally through the network. It's not just a foothold—it's a toolkit for deep system compromise.
No Admin Rights Required: Why ClickOnce Matters
One of the campaign's cleverest tricks lies in its abuse of ClickOnce. This Microsoft technology is typically used to install software without needing administrator privileges. Attackers leverage this to launch their malware without raising red flags or asking for suspicious permissions. The malicious app runs through a trusted Windows process, dfsvc.exe, and employs a rarely seen tactic known as AppDomainManager injection to execute encrypted shellcode in memory—making forensic recovery difficult.
Not a One-Off: Evolving Variants in the Wild
This isn't a single strain of malware—it's a growing family. Security researchers have identified several OneClik variants emerging in 2025 alone, each version more refined than the last. Names like v1a, BPI-MDM, and v1d indicate a maturing toolset designed for evasion and persistence. In fact, earlier sightings of the RunnerBeacon backdoor trace back to 2023, pointing to a campaign that has been operating and evolving quietly over time.
Broader Implications: What This Means for Businesses
The implications of OneClik's activity are significant. Its ability to fly under the radar, avoid privilege escalation requirements, and operate within trusted systems makes it especially dangerous for industries relying on legacy systems or minimal endpoint protections. Traditional antivirus tools and firewalls may not catch it. Organizations in infrastructure sectors must consider whether their current defenses can cope with this type of attack.
Here are some key signs that could suggest a OneClik-style intrusion:
- Unusual outbound traffic to AWS or other cloud services
- Unknown child processes of dfsvc.exe
- Use of AppDomainManager or suspicious .NET assemblies
- Gradual privilege escalations without alerts
A Global Pattern: Connections to Other Threat Actors
While attribution remains murky, researchers have noted similarities between OneClik's techniques and those used by state-linked groups in Northeast Asia. One campaign by a group known as APT-Q-14 also leveraged ClickOnce applications, this time exploiting a zero-day XSS flaw in a web-based email service to install malware without any clicks at all. The overlap in tactics suggests either shared tooling or a common playbook among regional threat actors.
Adaptability Is the New Weapon
What sets OneClik apart from traditional malware is its flexibility. It doesn't rely on blockbuster vulnerabilities or brute-force methods. Instead, it adapts. It uses trusted platforms like AWS, cloaks its communications, and evolves in real-time. This is emblematic of a wider shift in cyber threats: away from volume and toward stealth and precision.
Final Thoughts
The OneClik campaign is a clear reminder that even legitimate technologies can be repurposed for malicious ends. For security teams, this means looking beyond surface-level protections and investing in behavioral analysis, anomaly detection, and advanced monitoring. As threat actors don't stop refining their methods, defenders must match them in agility and insight. The future of cybersecurity lies in understanding not just what attackers do—but how quietly they do it.
