The Trellix Advanced Research Center has exposed a highly sophisticated new malware campaign that has been dubbed “OneClik.” This specific operation targets the energy, oil, and gas sectors through the use of carefully crafted phishing attacks. It exploits Microsoft ClickOnce, a .NET deployment technology, to execute its malicious payloads under trusted processes. This campaign exhibits traits potentially linked to Chinese-affiliated threat actors, representing a significant evolution in their tactics.
The OneClik campaign unfolds across three different variants, with each one showcasing progressively advanced evasion techniques. The complex infection chain begins with spearphishing emails that contain links to fake “hardware analysis” sites. These sites, which are hosted on Azure Blob Storage, trick victims into downloading a malicious ClickOnce manifest file. This file then silently installs and runs a .NET executable loader that is now being called “OneClikNet.” This loader uses AppDomainManager hijacking to load remote malicious DLLs, ensuring execution before the legitimate application even runs.
The loader then proceeds to deploy a Golang-based backdoor that has been named by researchers as “RunnerBeacon.”
This backdoor communicates with the attacker’s infrastructure which is cleverly hidden behind legitimate AWS cloud service domains. Its modular design supports a wide range of malicious activities, from shell command execution to detailed port scanning. The backdoor’s capabilities mirror those seen in other well-known offensive security tools, such as the Cobalt Strike beacon. This campaign was first observed in March 2025, but it has prior traces in the Middle East since 2023.
Each malware variant introduces its own advanced anti-analysis measures, including special anti-debugging loops and sandbox detection. One variant even deletes its own configuration files after execution to successfully hinder any subsequent forensic analysis efforts. While Trellix cautiously refrains from definitive attribution, there are some overlaps in tactics that hint at possible connections. These tactics, such as .NET hijacking and cloud infrastructure abuse, point to possible links with Chinese APT groups. Recognizing these specific tactics, techniques, and procedures is now critical for defenders to proactively harden their systems.
Reference:
