OneClik Malware Campaign: Sophisticated Threat Targets Energy Infrastructure

The energy sector is once again in the crosshairs of cybercriminals, with the emergence of a sophisticated malware campaign called OneClik. This advanced persistent threat operation specifically targets organizations within the energy, oil, and gas sectors, employing a dangerous combination of legitimate Microsoft technologies and cloud services to evade detection and maintain long-term access to critical infrastructure systems.

 Description of the Threat

OneClik represents a highly sophisticated attack campaign that exploits Microsoft’s ClickOnce deployment technology—a legitimate .NET framework designed for easy software distribution—to deliver malicious payloads disguised as trusted applications.The campaign utilizes a multi-stage infection process that begins with targeted phishing emails and culminates in the deployment of a powerful Golang-based backdoor called RunnerBeacon.

The attack operates through three known variants: v1a, BPI-MDM, and v1d, each demonstrating progressive improvements in stealth capabilities and anti-analysis features. What makes this campaign particularly concerning is its “living off the land” approach, which leverages legitimate enterprise tools and cloud services to blend malicious activities with normal business operations.

(RunnerBeacon List of Features – Source: Trellix)

 Severity of the Issue

This threat carries anextremely high severity rating for several critical reasons. First, it specifically targets energy infrastructure, which represents a vital component of national security and economic stability. Any disruption to energy operations can have cascading effects across entire economies and pose risks to public safety.

The campaign’s sophisticated evasion techniques make it exceptionally difficult to detect using traditional security measures. By hiding malicious communications within legitimate AWS cloud traffic, the attackers can maintain persistent access for months or years without detection.Evidence suggests that variants of this malware have been active since at least September 2023, indicating a long-term espionage operation rather than opportunistic attacks.

The technical sophistication of OneClik, combined with its apparent connection to state-sponsored actors, elevates this threat to the level of a national security concern. The potential for industrial espionage, operational disruption, or even physical damage to energy infrastructure makes this one of the most serious cybersecurity threats facing the energy sector today.

 How the Attack is Exploited

The OneClik attack follows a carefully orchestrated multi-stage process designed to maximize stealth and persistence. This sophisticated campaign employs multiple advanced techniques to evade detection while establishing persistent access to targeted systems.

• Initial Access: Targeted phishing emails containing links to fake “hardware analysis” websites hosted on legitimate cloud platforms like Microsoft Azure
• Payload Delivery: Fraudulent sites prompt victims to download ClickOnce application manifests (.application files) disguised as trusted industry utilities
• Execution: ClickOnce loader executes under legitimate Windows process dfsvc.exe, running with user-level privileges without triggering User Account Control warnings
• Code Injection: AppDomainManager injection technique hijacks .NET application loading processes to inject malicious code into legitimate processes
• Memory Execution: Encrypted shellcode executes directly in memory, avoiding detection by most antivirus solutions
• Command and Control: Leverages legitimate AWS services including CloudFront distributions, API Gateway endpoints, and Lambda function URLs to blend malicious traffic with normal business operations

This multi-layered approach makes OneClik exceptionally difficult to detect using traditional security measures, as each stage appears to be legitimate system activity to most monitoring tools.

(OneClik Campaign Infection Chain – Source: Trellix)

 Who is Behind the Issue

While definitive attribution remains challenging due to the sophisticated operational security employed by the attackers, cybersecurity researchers have identified strong indicators pointing to state-sponsored threat actors with significant resources and capabilities.

• Primary Attribution: Strong indicators point to Chinese-affiliated advanced persistent threat groups based on tactical overlaps and strategic objectives
• Technical Evidence: Use of AppDomainManager injection techniques previously associated with Chinese APT operations and preferences for cloud-based command and control infrastructure using major providers like Amazon and Alibaba
• Strategic Focus: Targeting of critical infrastructure sectors aligns with Chinese intelligence collection priorities and national security objectives
• Potential Group Connections: Researchers noted possible connections to APT41, a prolific Chinese hacking group known for conducting both financially motivated cybercrime and state-sponsored espionage
• Operational Sophistication: Long-term persistence capabilities and advanced evasion techniques indicate significant resources and technical expertise typically associated with nation-state actors
• Geographic Focus: Strategic targeting of energy infrastructure in regions of geopolitical significance including the Middle East and North America

Security experts maintain a cautious attribution stance while acknowledging that the sophistication and persistence of this campaign strongly suggests state-level sponsorship rather than conventional cybercriminal operations.

 Who is at Risk

The OneClik campaign demonstrates highly targeted selection criteria, focusing primarily on organizations that operate critical energy infrastructure and supporting services. The attackers have shown particular interest in companies operating in strategically important geographic regions.

• Primary Targets: Energy producers, petroleum refineries, natural gas processing facilities, electric power generation companies, and energy distribution networks
• Supply Chain Organizations:Industrial control system vendors, engineering firms specializing in energy infrastructure, and technology service providers supporting critical energy operations
• Government Agencies: Regulatory bodies responsible for energy oversight and agencies possessing sensitive information about national energy capabilities and vulnerabilities
• Geographic Focus: Companies operating in the Middle East, North America, and other regions of strategic energy significance
• Small and Medium Businesses:Energy sector SMBs that lack advanced cybersecurity resources and may serve as stepping stones to larger targets
• Research Institutions: Universities and research facilitiesconducting energy-related research or developing new energy technologies
• Critical Infrastructure Partners: Organizations providing essential services to energy companiesincluding telecommunications, transportation, and financial services

The targeting pattern suggests that any organization with access to sensitive energy sector information or operational capabilities should consider themselves at elevated risk from this ongoing campaign.

 Remediation Strategies

Defending against OneClik requires a comprehensive, multi-layered security approach that addresses both the technical sophistication of the threat and the human factors that enable initial compromise. Organizations must implement controls that can detect and prevent this type of advanced persistent threat.

• ClickOnce Application Controls: Implement strict policies that restrict or monitor the installation of applications delivered through ClickOnce mechanisms
• Network Segmentation: Isolate critical operational technology networks from corporate IT systems to limit potential impact of successful intrusions
• Advanced Email Security: Deploy solutions capable of detecting sophisticated phishing campaigns with sandboxing capabilities for suspicious attachments and URLs
• Endpoint Detection and Response: Configure EDR solutions to monitor for behavioral indicators including unusual ClickOnce manifest downloads and anomalous dfsvc.exe process activity
• Cloud Service Monitoring: Implement robust monitoring of cloud service communications with advanced network analysis tools capable of inspecting encrypted traffic patterns
• Security Awareness Training: Conduct regular training focusing on latest phishing techniques and social engineering tactics specific to the energy sector
• Incident Response Planning: Develop and regularly test incident response procedures specifically designed for industrial control system environments
• Threat Intelligence Integration: Subscribe to threat intelligence feeds that provide early warning of emerging campaigns targeting critical infrastructure

These defensive measures must be implemented as part of a coordinated security strategy rather than isolated point solutions to effectively counter the sophisticated techniques employed by OneClik operators.

 How CinchOps Can Help Secure Your Business

CinchOps understands the unique cybersecurity challenges facing energy sector organizations, and we’re equipped with the advanced technologies and expertise necessary to defend against sophisticated threats like OneClik. Our comprehensive managed security services are specifically designed to protect critical infrastructure from state-sponsored attacks and advanced persistent threats.

• 24/7 Threat Monitoring: Advanced behavioral analysis tools to identify suspicious activities that traditional security solutions might miss, specializing in detecting “living off the land” attacks
• Advanced Email Security: Multi-layered phishing protection with sandboxing capabilities to prevent initial compromise attempts
• Endpoint Detection and Response: Comprehensive EDR services with behavioral monitoring specifically configured to detect OneClik-style attacks
• Network Segmentation Services: Design and implementation of secure network architectures for industrial control systems and critical infrastructure
• Cloud Security Monitoring: Specialized monitoring to detect suspicious communications with AWS and other cloud services used by advanced threat actors
• Threat Intelligence Services: Early warning systems providing actionable intelligence about emerging campaigns targeting the energy sector
• Security Awareness Training: Customized training programs designed specifically for energy sector employees and common attack vectors
• Incident Response Services: Expert response capabilities with specific expertise in industrial control system environments and critical infrastructure
• Compliance Management: Comprehensive support to ensure adherence to energy sector cybersecurity regulations and industry standards

Don’t wait for a sophisticated attack like OneClik to compromise your organization’s critical operations. Contact CinchOps today to learn how our security services can provide the advanced protection your energy operations require, and let our team of experts conduct a comprehensive security assessment tailored to your specific risk profile.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Houston Industrial Cybersecurity Threats: Key Findings from Honeywell’s 2025 Cyber Threat Report
For Additional Information on this topic: OneClik: A ClickOnce-Based Red Team Campaign Simulating APT Tactics in Energy Infrastructure

FREE CYBERSECURITY ASSESSMENT