OneClik” APT Unmasked: China-Linked Campaign Abuses Microsoft ClickOnce & AWS Cloud to Target Energy Sector

The Trellix Advanced Research Center has unveiled a covert and highly sophisticated APT malware campaign dubbed OneClik, a multi-variant cyberespionage operation targeting the energy, oil, and gas sectors. This campaign stands out for its abuse of Microsoft ClickOnce, stealthy code injection methods, and resilient command-and-control (C2) infrastructure built entirely within legitimate AWS cloud services—effectively allowing it to “hide in plain sight.”

“This stealthy operation unfolds across three distinct variants (v1a, BPI-MDM, and v1d)… each using a .NET-based loader (“OneClikNet”) to deploy a sophisticated Go language backdoor (“RunnerBeacon”),” the report explains.

ClickOnce, a Microsoft technology designed for streamlined application deployment, has been twisted into a delivery mechanism for malware. The attackers leveraged phishing emails masquerading as hardware diagnostic tools, directing victims to Azure Blob-hosted .application files. Once clicked, the user inadvertently triggered a ClickOnce manifest that launched the OneClikNet loader—no admin privileges required.

“ClickOnce applications run with user-level privileges (no user account control required), they offer an appealing delivery mechanism for threat actors,” Trellix noted.

The loader uses AppDomainManager injection (MITRE ATT&CK T1574.014) to stealthily hijack .NET runtime execution. This approach allows attackers to load a malicious DLL instead of a legitimate dependency—executing malware under the trusted dfsvc.exe process and blending with normal system activity.

What makes OneClik particularly dangerous is its technical depth and evasion capabilities. Each variant of the campaign reveals incremental sophistication. The loader uses:

• Anti-debugging loops
• Sandbox detection (e.g., RAM size, domain membership, Azure AD checks)
• Encrypted shellcode delivery using AES-CBC with brute-forced IV
• In-memory execution of shellcode via CLR internals (avoiding standard P/Invoke APIs)

“In v1d, the malware queries physical memory via GlobalMemoryStatusEx, aborting if total RAM is below 8GB—to avoid low-resource analysis VMs,” Trellix found.

The OneClikNet loader supports multiple victim ID generation techniques and payload delivery vectors, demonstrating a modular and adaptive design. These include downloading from C2, reading from local files, or generating hashes based on machine-specific data—indicating targeted infection logic.

Once initial access is achieved, the final payload—RunnerBeacon—is injected into memory. Written in Go, RunnerBeacon uses RC4 encryption and MessagePack serialization for its C2 protocol, supporting a wide range of commands including:

• File uploads/downloads
• SOCKS5 proxying
• Shell command execution
• Process injection and token manipulation

“RunnerBeacon’s design closely parallels known Go-based Cobalt Strike beacons… suggesting it may be an evolved fork or privately modified variant of Geacon,” the report speculates.

OneClik’s use of AWS CloudFront, API Gateway, and Lambda endpoints as C2 infrastructure presents a major challenge for defenders. TLS-encrypted traffic to these domains mimics legitimate enterprise traffic, rendering traditional network-based detection nearly useless.

“By ‘hiding in the cloud,’ attackers exploit the high trust and availability of AWS: defenders must decrypt SSL or denylist entire AWS domains,” Trellix warned.

This cloud-native evasion reflects a broader trend in APT tooling—leveraging legitimate platforms to circumvent perimeter defenses.

While Trellix exercises caution in attributing OneClik to any specific nation-state actor, the campaign shares strong TTP overlaps with Chinese-linked APT groups, such as APT41:

• .NET AppDomainManager hijacking
• AES-encrypted shellcode in base64 format
• Cloud infrastructure staging (notably AWS and Alibaba services)
• Cobalt Strike–like backdoor communications

“We assess a possible low-confidence link between OneClik and Chinese threat actors such as APT41,” the report cautiously concludes.

Related Posts:

• OneDrive Users Targeted in Sophisticated Phishing and Downloader Campaign
• New Phishing Campaign Targets AWS Accounts: Security Experts Warn
• Beware of Celestial Stealer: New MaaS Targets Browsers and Crypto Wallets
• Lumma Stealer: Advanced Obfuscation and Evasion Techniques Analysis
• Report: the development of cyber security in the oil and gas industry in the Middle East is lagging behind