The Reveal Platform
Intel Name: Oneclik: a clickonce-based apt campaign targeting energy, oil and gas infrastructure
Date of Scan: June 26, 2025
Impact: High
Summary: The campaign targets the energy, oil, and gas sectors using phishing and Microsoft ClickOnce exploitation. It shows traits linked to Chinese threat actors, though attribution remains tentative. Using “living off the land” tactics, it hides malicious activity within legitimate cloud and enterprise tools. Three variants deploy a .NET loader (“OneClikNet”) to run a Go-based backdoor (“RunnerBeacon”) via AWS services, evading standard detection.
