Listen to this Post
Cyberattack Alert: OneClik Campaign Exposes Energy Sector to Advanced Threats
A dangerous cyber campaign known as OneClik is actively targeting the oil, gas, and energy sectors, using cutting-edge evasion techniques and sophisticated infection chains. Discovered by the Trellix Advanced Research Center, the attack campaign exploits Microsoft’s ClickOnce deployment system to mask its activities under trusted Windows processes. Believed to be linked to Chinese state-affiliated APT (Advanced Persistent Threat) actors, this malware cleverly sidesteps traditional security tools and embeds itself deeply into enterprise environments. With modular payloads, encrypted communications, and abuse of trusted cloud infrastructure like AWS, OneClik represents a new generation of stealthy, persistent threats aimed at critical infrastructure. Organizations relying on outdated detection methods may find themselves defenseless unless they rapidly modernize their cybersecurity frameworks.
Inside the OneClik Threat Campaign
How the Attack Starts
The OneClik malware campaign begins with phishing emails crafted to lure victims in the oil, gas, and energy sectors. These messages contain links to spoofed “hardware analysis” websites. Once a user clicks the link, a malicious .application file is silently delivered. This file, disguised as a legitimate ClickOnce installer, is executed under the trusted dfsvc.exe process, launching a multi-stage infection.
Hijacking Trust with ClickOnce
ClickOnce is a Microsoft technology originally designed to streamline app deployment. OneClik abuses this by modifying .exe.config files and using AppDomainManager hijacking to inject malicious DLLs. When legitimate executables like ZSATray.exe, ied.exe, or umt.exe are launched, they unknowingly load malware.
Stealthy Payload Delivery
The initial loader, “OneClikNet,” identifies victims and retrieves encrypted payloads using several delivery methods: C2 downloads, embedded files, or local access. These payloads are decrypted via AES-128-CBC encryption and brute-forced IVs, then executed as 64-bit shellcode using .NET reflection and memory injection, making them nearly invisible to traditional security tools.
Anti-Analysis & Evasion Strategies
Three variants of OneClik have been identified: v1a, BPI-MDM, and v1d. While early versions hid windows and patched telemetry features, newer versions added persistent anti-debugging loops, sandbox detection, and domain checks. The malware removes its own configuration files after launch, making forensic investigation difficult.
RunnerBeacon: The Final Payload
The decrypted shellcode loads a Go-based backdoor named “RunnerBeacon” directly into memory. This backdoor is highly modular, supporting dynamic commands, file transfers, process injection, privilege escalation, and proxying via protocols like HTTP(S), TCP, WebSockets, and SMB. RunnerBeacon’s C2 communications are encrypted using RC4 and serialized with MessagePack, mimicking tools like Cobalt Strike’s Geacon.
AWS Cloud Infrastructure Abuse
A unique trait of OneClik is its use of Amazon Web Services. By routing communications through AWS CloudFront, API Gateway, and Lambda URLs, the malware’s C2 traffic blends with regular cloud activity. All known domains involved resolve to AWS infrastructure and use TLS-encrypted traffic, complicating detection even further.
Attribution and Defensive Recommendations
Although OneClik exhibits several characteristics linked to known Chinese APT groups, researchers are cautious about definitive attribution. The malware’s focus on critical infrastructure and the evolving sophistication of its techniques mark it as a serious, ongoing threat. Organizations are advised to monitor ClickOnce deployments, scrutinize .NET configuration files, inspect outbound cloud traffic, and employ behavioral analysis to detect AppDomainManager hijacking.
What Undercode Say:
A Strategic Shift in Cyberwarfare Tactics
OneClik represents a paradigm shift in how attackers approach critical infrastructure. The abuse of legitimate Windows features like ClickOnce and AppDomainManager isn’t new, but this campaign scales it to a level of seamless integration that borders on invisibility. Threat actors are no longer just breaking into networks; they are blending in and staying for the long haul.
Leveraging Trusted Channels
One of the most dangerous aspects of OneClik is its use of trusted cloud infrastructure. By routing command-and-control (C2) traffic through AWS services, the malware mimics normal enterprise operations. In today’s cloud-heavy environments, security tools often whitelist cloud platforms by default. This grants OneClik a significant advantage, making its presence extremely hard to detect.
Multi-Stage and Modular Attacks
The modular design of OneClikNet and RunnerBeacon allows attackers to tailor operations to specific victims. Instead of deploying a monolithic payload, they can selectively execute commands, escalate privileges, and exfiltrate data as needed. This flexibility mirrors military-grade cyber toolkits and makes containment difficult once the malware gains a foothold.
Advanced Evasion at Every Step
The evolution of OneClik variants shows a clear trend: these threat actors are adapting fast. With each version, they add new layers of obfuscation and anti-analysis techniques. From hiding windows to runtime API resolution and sandbox detection, OneClik anticipates how defenders will respond and proactively works around it.
.NET as a Weapon
Using .NET as a foundation is another stroke of strategic brilliance. Enterprises heavily rely on .NET-based applications, and few organizations are equipped to inspect the inner workings of the Common Language Runtime (CLR). AppDomainManager hijacking is especially potent here, allowing the malware to execute inside legitimate apps without raising alarms.
Cyber Espionage and Industrial Targeting
That this malware campaign focuses on oil, gas, and energy companies is no coincidence. These sectors are prime targets for nation-state actors interested in geopolitical leverage, economic sabotage, or intellectual property theft. Disrupting energy supply chains, even subtly, can have far-reaching consequences.
Implications for Cloud Security
OneClik’s abuse of AWS services is a wake-up call. Security teams must understand that cloud platforms, while essential for productivity, are also becoming attack surfaces. TLS-encrypted traffic and familiar domain names no longer guarantee safety. Threat hunting must evolve to inspect behavioral anomalies, not just signatures.
Why Traditional AV is Powerless
Signature-based antivirus tools are practically blind to OneClik. The malware never writes permanent files to disk in its final stages, uses encrypted memory-resident shellcode, and sidesteps APIs that traditional detection relies on. Defenders need EDR solutions capable of monitoring memory behavior and runtime anomalies.
Defending Against OneClik
Security teams should focus on proactive defense: block unauthorized ClickOnce applications, monitor .exe.config changes in .NET applications, and flag abnormal access to AWS domains. Additionally, endpoint detection and response (EDR) tools should be configured to spot AppDomainManager anomalies and detect shellcode execution patterns in memory.
Long-Term Cybersecurity Lessons
The OneClik campaign illustrates how cyber threats evolve faster than conventional defenses. It blends technical innovation, social engineering, and infrastructure abuse into a potent cocktail that targets the very core of national infrastructure. The only way to fight back is with an equally layered, intelligent defense strategy that includes cloud-aware monitoring, behavioral analytics, and continuous threat intelligence updates.
🔍 Fact Checker Results
✅ Verified: OneClik leverages Microsoft ClickOnce and AWS services
✅ Verified: The malware uses AppDomainManager hijacking and memory-based shellcode injection
❌ Not Verified: Attribution to Chinese APT groups remains unconfirmed by Trellix
📊 Prediction
⚠️ The OneClik campaign will likely evolve into a broader multi-industry threat, expanding beyond energy to sectors like finance and healthcare. As attackers refine their cloud exploitation techniques, more malware families will begin using trusted platforms like AWS, Azure, and Google Cloud to remain undetected. Expect future variants to incorporate AI-driven targeting, faster evasion methods, and cross-platform payloads designed to infect hybrid cloud environments.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
