A stealthy and technically advanced cyberattack campaign, dubbed OneClik, has been targeting energy, oil, and gas organizations by abusing Microsoft’s ClickOnce application installer and legitimate Amazon Web Services (AWS) infrastructure. The attacks deploy a customized Golang-based backdoor known as RunnerBeacon, with multiple campaign versions evolving to evade detection, persist longer, and blend malicious activity with legitimate cloud operations.
ClickOnce Malware Used to Evade Detection and Deploy Stealthy Payloads
Microsoft ClickOnce is a legitimate deployment tool that allows Windows applications to auto-update with minimal user interaction. In the OneClik campaign, attackers used this trusted framework to smuggle in malicious payloads disguised as .APPLICATION files via phishing emails. These files linked to fake hardware analysis sites hosted in Microsoft Azure, making the attack appear trustworthy and routine.
“ClickOnce apps launch under the Deployment Service (dfsvc.exe), enabling attackers to proxy execution of malicious payloads through this trusted host,” Trellix researchers explained.
Since ClickOnce apps run without requiring admin privileges, they provide an ideal path for attackers to drop malware while avoiding traditional user account control (UAC) prompts.
AppDomainManager Injection Allows Malware to Hijack Legitimate Executables
After the ClickOnce app executes, it hijacks the .NET application assembly loading process using AppDomainManager injection, a method that allows attackers to swap legitimate components for malicious ones. In this campaign, binaries like ZSATray.exe and umt.exe were co-opted to deliver malware payloads under the guise of normal activity, helping the infection stay under the radar.
“With the loader in place, payload execution proceeds under dfsvc.exe, blending with benign ClickOnce activities,” Trellix noted.
AWS Services Used to Obscure Command and Control Activity
One of the most striking features of the OneClik operation is the abuse of AWS services—including CloudFront, Lambda, and API Gateway—for Command and Control (C2) communications. This tactic makes detection far more difficult for defenders, as the network traffic closely resembles typical enterprise cloud activity.
In different OneClik variants:
- v1a contacted a CloudFront domain and API Gateway endpoint.
- v1d used an AWS Lambda URL for C2 callbacks.
“By hiding in the cloud, attackers exploit the high trust and availability of AWS. Defenders must decrypt SSL or block entire AWS domains to detect this,” the report stated.
RunnerBeacon Backdoor Packs Advanced Features
The RunnerBeacon backdoor—written in Go—relies on encrypted communications (RC4 cipher) and serialized MessagePack data for flexibility and speed. It supports a wide range of operations, including:
- Shell command execution via
CreateProcessW - File upload/download and directory listing
- Process enumeration and injection
- SOCKS5 tunneling for traffic proxying
- Network scanning and privilege escalation staging
The design of RunnerBeacon closely resembles that of Geacon, a Go-based Cobalt Strike variant. Trellix researchers suggest that RunnerBeacon may be a fork or evolved version tailored for cloud stealth and evasion.
Clues Point to Chinese Affiliation, But Attribution Remains Inconclusive
Although Trellix stops short of definitively naming a threat actor, multiple tactics, techniques, and procedures (TTPs) align with known Chinese state-sponsored campaigns:
- Use of .NET AppDomainManager injection
- Cloud-based malware staging (via Alibaba and AWS)
- Similar encrypted payload deployment methods
A variant of the RunnerBeacon loader was previously seen in the Middle East in September 2023, targeting oil and gas entities.
However, Trellix emphasized that the evidence is not conclusive enough for formal attribution.
Preparing for Similar Attacks in Cloud-Heavy Environments
This campaign highlights the challenges organizations face when attackers weaponize legitimate infrastructure like Microsoft ClickOnce and AWS. The use of trusted services, evasive backdoors, and multilayered obfuscation renders traditional perimeter defenses ineffective.
For organizations in critical infrastructure sectors such as energy and manufacturing, having a secure, immutable backup and recovery solution is vital in the event malware like RunnerBeacon causes operational downtime or file corruption.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
