OneClik Malware

A sophisticated cyber campaign dubbed OneClik is targeting the energy, oil, and gas sectors using a blend of deceptive deployment methods and custom-built malware. At the heart of this operation is the abuse of Microsoft's ClickOnce technology and a powerful Golang-based backdoor named RunnerBeacon. Although indicators suggest a possible link to Chinese threat actors, attribution remains tentative.

ClickOnce: A Double-Edged Deployment Tool

Microsoft's ClickOnce is designed to simplify the deployment and update process of Windows applications, allowing installations with minimal user interaction. Introduced in .NET Framework 2.0, this feature enables apps to run with limited permissions without requiring administrative rights.

Unfortunately, this convenience has also made ClickOnce a valuable asset for cybercriminals. Malicious applications can be deployed using a trusted Windows binary (dfsvc.exe), which handles ClickOnce apps. These apps are executed as a child process of dfsvc.exe, allowing attackers to stealthily run malicious code without raising security alarms or needing elevated privileges.

Infiltration Tactics: Phishing and Deception

The attack chain begins with well-crafted phishing emails that lure victims to a fake hardware analysis site. Once the victim visits the site, a malicious ClickOnce application is delivered and launched using dfsvc.exe.

This loader injects malicious code into memory using a method known as AppDomainManager injection, resulting in the execution of an encrypted shellcode. The ultimate payload is RunnerBeacon, a sophisticated Golang backdoor.

RunnerBeacon: A Powerful and Versatile Implant

The RunnerBeacon backdoor is built to support a wide range of capabilities, including:

• Communication over multiple protocols: HTTP(S), WebSockets, raw TCP, and SMB named pipes
• Execution of shell commands and file system operations
• Process enumeration and termination
• Privilege escalation via token theft and impersonation
• Lateral movement within a network

It also features advanced anti-analysis and evasion techniques, along with support for network-centric operations like port scanning, port forwarding, and SOCKS5 proxying.

A Clone of Geacon?

RunnerBeacon exhibits strong similarities to Go-based Cobalt Strike variants like Geacon, Geacon Plus, and Geacon Pro. It mirrors their command structures, cross-protocol communication features, and operational flexibility. These traits suggest that RunnerBeacon may be a customized or evolved fork of Geacon, refined to blend seamlessly into cloud environments.

Evolving Threat: Multiple Variants Detected

Cybersecurity researchers identified three distinct OneClik variants in March 2025 alone:

• v1a
• BPI-MDM
• v1d

Each version includes refinements that enhance stealth and bypass detection systems. However, traces of RunnerBeacon were already discovered in September 2023 at a company in the Middle East's oil and gas sector, indicating ongoing development and testing.

Techniques and Attribution: Familiar but Unconfirmed

The use of AppDomainManager injection is a well-documented tactic and has been previously observed in cyber campaigns associated with Chinese and North Korean threat actors. However, despite the similarities in technique and approach, researchers have not been able to conclusively attribute the OneClik campaign to any known group.

In terms of identifying signs of compromise, organizations should be on alert for phishing emails that direct recipients to fraudulent hardware analysis websites, as these are often the initial entry points for the attack. Another red flag is the use of ClickOnce applications launched via the dfsvc.exe process, which may indicate the presence of malicious payloads. Suspicious deployment of AppDomainManager injection techniques and outbound connections to attacker-controlled infrastructure hosted on Amazon Web Services (AWS) are also strong indicators of compromise.

To defend against such threats, enterprises should consider disabling or closely monitoring ClickOnce deployments, particularly in high-risk environments. Security teams should watch for anomalous child processes stemming from dfsvc.exe, which could signal malicious activity. Deploying endpoint detection and response (EDR) solutions can help in identifying and mitigating AppDomain injection behaviors. Additionally, examining network traffic for unusual protocol use, such as unexpected proxy behavior or port forwarding attempts, can assist in detecting covert communication channels.

Conclusion

The OneClik campaign underscores how adversaries are continually refining their tactics to exploit legitimate technologies. For organizations within critical infrastructure sectors, maintaining a vigilant posture and implementing multi-layered security defenses remains essential in mitigating the impact of such advanced threats.