A newly uncovered cyber campaign named OneClik is targeting critical infrastructure in the energy, oil, and gas sectors, using Microsoft ClickOnce technology and a Golang-based backdoor to infiltrate enterprise systems.
According to researchers at a cyber-security firm, the malware campaign bears hallmarks of Chinese-affiliated threat actors, although attribution remains unconfirmed. The attack blends “living-off-the-land” tactics with cloud-based evasion techniques, making detection highly challenging.
Exploiting Trusted Windows Tools
The infection chain begins with phishing emails that redirect victims to a fake hardware analysis website. Once there, the attackers deliver a ClickOnce application disguised as a legitimate Windows installer. This triggers the execution of malicious code through the trusted dfsvc.exe binary a method that avoids raising suspicion.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
The loader, called OneClikNet, uses AppDomainManager injection to launch encrypted shellcode in memory, ultimately deploying a sophisticated Go-based backdoor known as RunnerBeacon.
RunnerBeacon mimics advanced Cobalt Strike-like beacons and communicates with attacker-controlled infrastructure via AWS cloud services using HTTP(S), WebSockets, TCP, and SMB named pipes. It supports capabilities such as shell command execution, process enumeration, lateral movement, file I/O, port forwarding, and even SOCKS5 proxying.
Researchers noted the malware’s anti-analysis and privilege escalation features, suggesting it is built for stealth and persistence, specifically within enterprise environments.
Variants and Global Reach
Three variants of OneClik were observed in March 2025 alone v1a, BPI-MDM, and v1d each more evasive than the last. RunnerBeacon was previously spotted in a 2023 attack on a Middle Eastern oil and gas firm, pointing to a potentially wider campaign.
Meanwhile, A Chinese cybersecurity firm has linked similar techniques to APT-Q-14, a Northeast Asia-based group overlapping with DarkHotel (APT-C-06).
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
That group exploited a zero-day XSS flaw in an email platform to deliver malware using ClickOnce applications, further validating the trend.
The Chinese cybersecurity firm warns that APT-Q-14 also targets Android-based email platforms, and uses creative delivery methods including decoy documents, zero-day exploitation, and even Bring Your Own Vulnerable Driver (BYOVD) tactics to bypass Microsoft Defender.
As the global energy sector faces rising geopolitical and cyber risks, these campaigns reveal a dangerous shift in tactics: attackers are now favoring cloud abuse, sideloading, and trusted software frameworks to bypass traditional defenses and persist undetected in high-value targets.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing