Red Team Exercise Simulates Use of ClickOnce Against Energy Sector

Trellix’s Advanced Research Center has documented a red team exercise named OneClik, simulated Advanced Persistent Threat tactics against entities within the energy, oil, and gas sectors. The red team employs sophisticated phishing lures and exploit Microsoft ClickOnce, a.NET deployment tool, to execute malware under the guise of trusted applications. This campaign exhibits hallmarks consistent with Chinese-affiliated threat actors, according to the researchers.

Phishing emails played a central role in initial access, directing recipients to a camouflaged “hardware analysis” site. Visitors are prompted to install a ClickOnce application, which transparently downloads a malicious.NET loader. This loader utilises AppDomainManager hijacking, manipulating.exe.config settings to inject a rogue DLL at runtime. By operating under dfsvc.exe, it achieves stealthy code execution without triggering user account controls.

The operation’s modularity is evident in its three known variants—v1a, BPI-MDM, and v1d—all of which deploy a.NET loader, “OneClikNet,” to deliver a Go‑based backdoor named “RunnerBeacon.” Communication with command‑and‑control servers occurs via legitimate AWS services such as CloudFront, API Gateway, and Lambda, complicating attribution and detection.

Researchers traced an earlier variant of the RunnerBeacon loader to a Middle Eastern oil and gas target in September 2023, suggesting the campaign has persisted for at least nine months. The clustering of infrastructure and code suggests a long‑term espionage focus on critical energy sector infrastructure.

OneClik typifies the “living off the land” tactic trend among APT actors, embedding malicious activity within legitimate system processes. By co‑opting ClickOnce workflows, the actors evade conventional security checks and minimise forensic footprints. The use of AppDomainManager hijacking—aligned with MITRE’s T1574.014 technique—illustrates both creativity and sophistication.

Operational resilience is tailored into each variant. Anti‑analysis safeguards such as anti‑debugging loops and sandbox escape routines indicate a degree of maturation across successive iterations. Furthermore, by leveraging AWS-hosted C2 infrastructure, each variant masks communications behind widely trusted cloud domains.

Trellix has not publicly named specific organisations but indicates that the campaign spans multiple countries and facilities in the energy domain. The attack chain—from phishing to ClickOnce deployment, loader injection, and backdoor communication—illustrates a fully developed espionage suite with lateral movement and data exfiltration capabilities.

While the activity has been linked to Chinese-affiliated actors, attribution remains cautious. Analysts point to overlapping techniques with earlier campaigns, including AppDomainManager abuse and cloud‑based C2 obfuscation, which demonstrate a persistent, strategic push into energy sector espionage.

The growing popularity of living‑off‑the‑land techniques highlights a broader shift in APT methodology: adversaries are increasingly embedding within legitimate enterprise ecosystems, evading sandbox detection and legacy cybersecurity measures. OneClik’s use of ClickOnce is a prime example of tool abuse—repurposing software deployment mechanisms as vectors for stealth attacks.

Effective detection of emerging variants will require advanced behavioural analysis and cloud traffic monitoring. Security teams are advised to scrutinise unusual ClickOnce manifest downloads, monitor dfsvc.exe processes for anomalous activity, and adopt isolation techniques for unfamiliar.application installations. Deep packet inspection combined with endpoint detection of loading behaviours may also help identify lateral movement attempts using RunnerBeacon.

The disclosure of OneClik, aligned with rising living‑off‑the‑land APT operations, marks a pivotal moment for industrial cybersecurity. By weaponising trusted deployment frameworks, threat actors are escalating their ability to remain undetected within critical infrastructure for extended periods. As such, collaborative threat intelligence, updated detection strategies, and heightened phishing resilience are imperative to combat these stealth campaigns.