APT Groups Exploit Microsoft ClickOnce to Deploy Malware as Trusted Executables

A sophisticated malware campaign known as “OneClik” has been detected targeting the oil, gas, and energy industries, according to a new finding made by the Trellix Advanced Research Center.

The campaign, exhibiting hallmarks of Chinese-affiliated APT activity, leverages Microsoft ClickOnce deployment technology to deliver malicious payloads as trusted executables, effectively bypassing traditional security controls.

Technical Overview

ClickOnce, a Microsoft .NET technology designed for seamless remote application deployment, is at the heart of this campaign’s initial access vector.

Attackers distribute phishing emails containing links to counterfeit “hardware analysis” websites. When a victim visits these sites, a ClickOnce manifest (.application file) is delivered, masquerading as a legitimate utility.

The ClickOnce loader, executed under the trusted dfsvc.exe process, initiates a multi-stage infection chain that injects malicious code through .NET configuration tampering.

A key technique employed is AppDomainManager hijacking (MITRE ATT&CK T1574.014).

By manipulating the .exe.config file, attackers ensure that a malicious DLL is loaded at the Common Language Runtime (CLR) startup, hijacking the execution flow of otherwise benign executables (e.g., ZSATray.exe, umt.exe, ied.exe).

According to Trellix Report, this enables the malware to operate under the guise of legitimate ClickOnce activity, blending seamlessly into enterprise environments.

The initial loader, “OneClikNet,” is a modular .NET stager capable of determining the victim’s identity and retrieving payloads through multiple configurable methods, including direct C2 download, local file access, or embedded resources.

Payload delivery involves decrypting a base64-encoded blob using AES-128-CBC, with a brute-force IV derivation process to evade static detection.

The decrypted payload is injected as x64 shellcode, executed via advanced CLR reflection and memory manipulation techniques, bypassing conventional API-based detection.

Evasion and Anti-Analysis Tactics

The OneClik campaign demonstrates a clear evolution in evasion capabilities across its three identified variants (v1a, BPI-MDM, v1d).

Early variants employ basic anti-analysis, such as hiding windows and patching Event Tracing for Windows (ETW) functions.

Later versions introduce persistent anti-debugging loops, sandbox and VM fingerprinting, and domain/Azure AD join checks.

Notably, the malware deletes its own configuration files post-execution to hinder forensic analysis.

The shellcode stager resolves Windows APIs at runtime, decrypts and decompresses the final payload, and launches a Go-based backdoor (“RunnerBeacon”) in memory.

RunnerBeacon utilizes RC4 encryption and MessagePack serialization for C2 communications, supporting multiple protocols (HTTP(S), WebSockets, TCP, SMB named-pipes).

Its modular design allows for dynamic command execution, file operations, process injection, privilege escalation, and SOCKS proxying, closely mirroring Cobalt Strike’s Geacon family.

A defining feature of OneClik is its abuse of legitimate AWS cloud services for command and control (C2). Initial variants beacon to AWS CloudFront and API Gateway endpoints, while later versions leverage Lambda function URLs.

This strategy enables attackers to hide malicious traffic within normal enterprise cloud activity, complicating detection efforts.

All observed C2 domains resolved to AWS infrastructure, with TLS communications mimicking standard HTTPS traffic.

While technical overlaps exist with known Chinese APT operations such as AppDomainManager hijacking, encrypted in-memory payloads, and cloud-based staging definitive attribution remains cautious.

The campaign’s targeting of critical infrastructure and its advanced, evolving toolkit underscore the persistent threat posed by state-sponsored actors leveraging modern cloud and .NET technologies for stealthy, long-term access.

Organizations are urged to monitor for anomalous ClickOnce deployments, unauthorized .NET configuration changes, and suspicious outbound traffic to cloud services.

Enhanced behavioral analysis, deep packet inspection, and endpoint monitoring for AppDomainManager injection are critical to detecting and mitigating such advanced threats.

Indicators of Compromise (IoC) Table

SHA256 / Indicator	Type / URL	Description
b06b1a5ea83d7f0883f9388c83359a738bc90e092f21f458232e2f98ed9810b6	hxxps://[v1a-victim].blob.core.windows.net/myit/analysis.html	Phishing lure HTML (v1a)
bea96cbf485f32fff1cf5cd9106ada542b978094f524f052f0391c3b916846df	[v1a]_Hardware_Analysis_Tool.application	ClickOnce manifest (v1a Loader)
c045503e0cb85588097c6e2484a49c52251ed5e46e9bfc6c73574440534123c9	ZSATray.exe.config	Malicious AppDomainManager config (v1a)
048ffb71a1e5abfd6b905b7a4a5171eabe560948963a8c0d6aa14a40d0f6b255	temp.dat	v1a Malicious .NET DLL OneClikNet
af8864bde7e2a3b6ff198939c8350c42cea51556b1bb8be6476650ae86c2e669	(embedded in fav.ico)	v1a encrypted shellcode
d830f27b1dfc75ac50f89a9353fd8aa90103e9a53562475ab69e12d5969b70b2	(Go payload in memory)	v1a Go backdoor binary (“RunnerBeacon”)
2a07875fca7a9c15aa54e82a91800899effadda919e5548513c13586f2c3d7fc	hxxps://[v1d]support.blob.core.windows.net/check/systemcheck.application	ClickOnce manifest (v1d Loader)
86f6d5ebaeb5ea5ac3b952e38951658e716f6065ce5f689ab5cf62fd738525e9	hxxps://[v1d]support.blob.core.windows.net/xpayload/ied.exe.config	.NET AppDomainManager config (v1d)
83f21a03db7cd2c621da3af0b40f6d39e2562af10b59cedfbc46868b054ffac7	hxxps://[v1d]support.blob.core.windows.net/xpayload/checkimage1.png	Malicious .NET DLL OneClikNet
hxxps://dyydej4wei7fq.cloudfront[.]net	URL (C2)	CloudFront URL used for beacon callbacks (v1a)
hxxps://b2zei88b61.execute-api.eu-west-2.amazonaws[.]com	URL (C2)	AWS API Gateway endpoint (v1a)
hxxps://7dqtdjxfycaqhjvc2qmx5js4aq0juygw.lambda-url.us-east-1.on[.]aws	URL (C2)	AWS Lambda function URL (v1d)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates