New ‘OneClik’ Hack Campaign Targets Energy Sector Using Microsoft Tool and AWS

by

Cybersecurity researchers have uncovered a sophisticated new hacking campaign, dubbed “OneClik,” that’s been quietly targeting organizations in the energy, oil, and gas industries. What makes this attack particularly tricky? It cleverly abuses everyday tools like Microsoft’s ClickOnce deployment technology and hides its tracks using legitimate cloud services from Amazon Web Services (AWS).

Contents

This campaign uses custom malware and sneaky tactics to fly under the radar, posing a significant threat to critical infrastructure. The key takeaways are its use of trusted tools for malicious purposes, its sophisticated custom backdoor, and its ability to hide command communications within legitimate cloud traffic.

Image representing a cyber attack targeting critical infrastructure like the energy sectorImage representing a cyber attack targeting critical infrastructure like the energy sector

How Attackers Abuse Everyday Tech

At its core, the OneClik campaign is a masterclass in blending in. Instead of relying solely on overtly malicious files that security systems might easily flag, the attackers start by leveraging legitimate tools and services.

The attack often begins with a phishing email. This email leads victims to a fake website, often hosted within the Azure cloud ecosystem, which is designed to look like a legitimate site offering a software tool. However, clicking the link downloads a .APPLICATION file – the kind used by Microsoft’s ClickOnce technology.

Read more: Apple’s Next Big Home Device: Is the “HomePod Touch” Coming with a Screen?

ClickOnce is designed to make installing and updating Windows apps super simple, often requiring minimal user interaction. Attackers love this because it can help them get their malicious code onto a system without triggering those familiar “Do you want to allow this app?” warnings (known as User Account Control or UAC prompts). Think of it as using an express lane to bypass security checks.

Researchers found that by using a ClickOnce application, the attackers could trick a trusted system process (dfsvc.exe) into running their malicious code. Since ClickOnce apps normally run with standard user permissions and don’t need elevated administrator rights (like UAC approval), the attackers can get a foothold without raising a major red flag.

The Infection Chain: From ClickOnce to Custom Malware

Once the malicious ClickOnce application is executed, it doesn’t immediately drop the main payload. Instead, it uses a technique called AppDomainManager injection. This is a fancy way of saying it hijacks how a legitimate piece of software (like a standard .NET program) loads its components.

By doing this, the attackers can force a trusted program, such as commonly found executables like ZSATray.exe, umt.exe, or ied.exe, to load and run their own malicious code instead of its normal dependencies. This makes the malicious activity look like it’s coming from a trusted source already running on the computer.

This hidden code is a .NET-based loader, tracked as OneClikNet. Its job is to prepare the system and then deploy the campaign’s main weapon: a sophisticated backdoor written in the Golang programming language, named RunnerBeacon.

Read more: The Verge Just Got Smarter: Personalized Feeds & Newsletters Are Here!

Hiding in the Cloud with AWS

After RunnerBeacon is installed, it needs to talk back to the attackers (this is called Command and Control or C2 communication). This is where the second clever trick comes in: using legitimate AWS cloud services.

Instead of connecting to a suspicious, unknown server, the backdoor talks to AWS services like Cloudfront (a content delivery network), API Gateway, or even Lambda functions. For network defenders, traffic to these services often looks like normal cloud activity. It’s like hiding a secret message within billions of everyday conversations happening online.

This “hiding in the cloud” makes it incredibly difficult for security teams to spot the malicious communication without taking drastic measures like decrypting all encrypted traffic or blocking entire AWS domains – actions that would disrupt normal business operations. The attackers exploit the fact that AWS is highly trusted and widely used.

The RunnerBeacon Backdoor: A Deep Dive

The RunnerBeacon backdoor itself is powerful and designed for stealth. It communicates with the attackers using encryption (RC4) and a data format (MessagePack) that helps keep its activities discreet.

It’s built with a modular design, meaning it can perform various tasks based on commands received from the attackers. These capabilities include:

  • Running commands on the infected computer.
  • Listing running programs.
  • Performing file operations (uploading, downloading, deleting).
  • Scanning networks.
  • Setting up a SOCKS5 tunnel to relay other malicious traffic through the compromised system.
Read more: The Verge Just Leveled Up Your News Feed: Get Ready for Personalized Tech!

Researchers noted that RunnerBeacon shares some design similarities with other known Go-based backdoors, specifically mentioning connections to the Geacon family, which is often associated with the Cobalt Strike penetration testing tool. This suggests RunnerBeacon might be a custom or evolved version of existing tools, tailored for extra stealth.

Who’s Behind It? Attribution Challenges

While the techniques used in the OneClik campaign are sophisticated and point to a well-resourced group, definitively saying who is responsible is difficult.

However, some clues suggest potential links to state-sponsored threat actors, particularly those affiliated with China. Researchers point to the specific techniques used, such as the .NET AppDomainManager injection and the method for deploying encrypted payloads, which have been observed in past attacks attributed to Chinese groups. Additionally, a preference for using cloud services for staging operations (from providers like Alibaba and Amazon) has been noted in previous China-linked campaigns.

Despite these overlaps, the evidence isn’t conclusive enough for a firm attribution. The complexity of the attack, the use of standard tools, and the cloud-based obfuscation make it hard to leave clear fingerprints.

The discovery of the OneClik campaign, with its clever blend of legitimate tech abuse and sophisticated custom malware, highlights the evolving threat landscape. Defenders in critical sectors like energy need to be aware of how attackers are leveraging trusted tools and services to bypass traditional security measures.

For more details on sophisticated hacking techniques:

  • SentinelOne shares new details on China-linked breach attempt
  • Microsoft and CrowdStrike partner to link hacking group names

Related Posts

Animated GIF showing a user clicking to follow the 'AI' topic on The Verge website, personalizing their tech news feed.
The Verge Just Got Smarter: Personalized Feeds & Newsletters Are Here!
Color-coded diagram of the AMD Magnus APU, potentially the next-gen Xbox chip, showing its Zen 6 CPU and large graphics die.
Next-Gen Xbox & PS6 Leaks: Is This AMD Chip the Heart of Microsoft’s Future Console?
Conceptual image of a future Apple HomePod smart speaker with a large, integrated touchscreen display, showing smart home controls.
HomePod Gets a Screen? iOS 26 Leak Hints at ‘HomePod Touch’
Animated GIF showing a user following specific technology topics on The Verge website to personalize their news feed.
The Verge Just Leveled Up Your News Feed: Get Ready for Personalized Tech!
Conceptual render of Apple's upcoming HomePod device featuring an integrated touch screen, hinting at visual capabilities for smart home control and information display.
Apple’s Next Big Home Device: Is the “HomePod Touch” Coming with a Screen?
Orange CMF Watch 3 Pro showcasing its sleek design and bright strap from a side angle
CMF Watch 3 Pro Unveiled: Smarter Tracking, Longer Battery, Still Budget-Friendly
Smartphone displaying the Gmail app interface, symbolizing an overflowing email inbox or new email features.
Your Gmail is Still Flooded? Google’s Next Big Fix for Spam is Coming
A close-up view of the Google Pixel 10 Pro smartphone in a sleek, steely gray color, officially teased ahead of its launch event.
Google Just Teased the Pixel 10 Pro! Get an Early Look & Exclusive Offer
Donkey Kong Bananza's stunning visuals on Nintendo Switch 2, earning praise from the legendary artists behind Donkey Kong Country.
Original Donkey Kong Country Creators Give Thumbs Up to Smash Hit Donkey Kong Bananza on Switch 2
Google Keep notes and task list interface with cover image
Google Keep Reminders Are Moving to Tasks: What You Need to Know
Windows 11 Click to Do feature showing a highlighted paragraph being summarized by AI
Windows 11 Just Got Smarter: Powerful New AI Features Roll Out Now
Sony X90L 65-inch 4K LED Smart TV with vibrant display showcasing immersive content
Unleash Next-Gen Gaming: Sony X90L 4K TV Slashes Price to All-Time Low!
Google Play Services logo with abstract blue background, representing the core Android system updates
Google’s Latest Android Updates Bring Smarter Wear OS, Enhanced Apps, and Wallet Upgrades
An iPhone display showcasing the new iOS 26 Dynamic Wallpaper, featuring a smooth gradient of blue and purple tones, illustrating its automatic color-shifting capability.
Your iPhone’s Wallpaper Just Got Smarter: iOS 26 Beta 4 Unveils Dynamic Colors!
A sleek Kioxia LC9 Series SSD, showcasing its compact 2.5-inch form factor with a futuristic design, representing the cutting-edge of high-capacity data storage.
Kioxia LC9 SSD: How a Tiny Drive Now Stores a Staggering 245TB!
A striking visual of a game character in a dynamic pose, from a video discussing the future of AAA games.
The Fight for Your Digital Games: Why Ubisoft is Under Fire Over Game Preservation
Google Pixel 9a home screen showcasing the current Android user interface and app icons.
Google’s Android Updates Just Got More Confusing: Here’s What You Need to Know
A server rack with glowing lights, illustrating the hardware infrastructure managed by Windows Server 2019.
Urgent Alert: Windows Server 2019 Update Causing Cluster & VM Chaos – What Businesses Must Do
In-game screenshot from Grand Theft Auto 6 featuring a detailed character and bustling street scene, hinting at future PS5 Pro performance.
Could GTA 6 Hit 60fps on PS5 Pro? Unpacking the Latest Performance Rumor
Leaked image showing the Lenovo Legion Go 2 prototype in action, highlighting its new display features.
Lenovo Legion Go 2 Leak: A Game-Changing Handheld with a Stunning OLED Screen?
Sleek Oakley HSTN Meta smart glasses in gray with polarized lenses, showcasing their modern, rounded frame design.
Oakley Meta vs. Ray-Ban Meta Smart Glasses: Which AI Glasses Should You Choose?
Thomas Mahler, CEO of Moon Studios, clarifies console release plans for No Rest for the Wicked on X, addressing Xbox prioritization.
No Rest for the Wicked: Xbox Release Prioritized Behind PS5 & Switch 2 (For Now)
A digital interface showcasing educational content and tools from The Freelance Photographer, highlighting resources for aspiring photography professionals.
VSCO Unleashes Global Access for Capture Camera App and Bolsters Pro Photographers with Strategic Acquisition
The iconic front cover of Dungeons & Dragons module B2 The Keep on the Borderlands, featuring classic fantasy art.
Dungeons & Dragons: Why “The Keep on the Borderlands” Is Still the Ultimate Adventure After 46 Years
Screenshot of the Xbox PC application dashboard showing the 'Play History' section, featuring various game tiles ready for cross-device cloud play.
Seamless Gaming: Xbox Tests Feature That Syncs Your Cloud Games Across Devices
Close-up view of the nano SIM card slot on the Microsoft Surface Laptop 5G, positioned next to the Surface Connect charging port, highlighting its mobile connectivity feature.
Stay Connected Anywhere: Microsoft Unveils the New Surface Laptop 5G with AI Power!
Close-up view of the Gemini AI app icon displayed on the vibrant screen of a Samsung Galaxy Watch 8 Classic, highlighting the sleek Wear OS 6 interface and modern smartwatch capabilities.
Good News! Galaxy Watch 8 Now Pairs Perfectly with Android 16 Beta
Rear view of the Elgato Game Capture 4K S showing its HDMI in, HDMI out, and USB-C ports, ready for console and PC connection.
Elgato Game Capture 4K S: Affordable 4K Streaming Made Simple for Gamers
Diagram illustrating Rocket Lab's proposed dredging project for Sloop Gut channel to allow large Neutron rocket deliveries to Wallops Island
Rocket Lab’s Race Against Time: Battling Shallow Waters to Launch Neutron Rocket in Virginia
An Apple Watch interface concept showing a 'Focus Score' of 84, with colored segments representing different sleep stages like REM, Core, and Deep sleep, as discovered in iOS 26 code.
Your Apple Watch May Soon Offer a Sleep Score: A New Era for Your Health Data
OneXSugar Sugar 1 handheld displaying vibrant RGB lighting on its grips and analog sticks, with the secondary screen deployed as a convenient kickstand for tabletop gaming.
OneXSugar Sugar 1: The Wild Dual-Screen Handheld That Could Redefine Portable Gaming
Close-up of the Google Pixel 9 Pro's distinctive camera bar in Rose Quartz, highlighting its premium design.
From Samsung Superfan to Pixel Convert? My Month with the Google Pixel 9 Pro
A smart television screen with red 'buy' icons crossed out, symbolizing a user's initial hesitation about integrated smart TVs.
Your TV Can Be a Smart Home Hub: How Google TV Streamer Changed My Mind
Grand Theft Auto 6 logo against a backdrop of Vice City, symbolizing the potential for high frame rates on PS5 Pro.
Will GTA 6 Hit 60fps on PS5 Pro? Sony Engineers May Be Lending a Hand
Blue Origin's towering New Glenn rocket launching into the night sky, showcasing its powerful debut.
Mars Mission Onboard: Blue Origin’s New Glenn Rocket Set for Exciting Second Launch
A Warframe character, a sci-fi space ninja, navigates a smoky, destroyed trench battlefield, echoing World War I imagery in The Old Peace expansion. The scene highlights the game's shift to a more somber narrative.
Warframe’s “The Old Peace”: A Deep Dive into WWI-Inspired Sci-Fi Conflict
HPE (Hewlett Packard Enterprise) logo on a modern, dark background, symbolizing network security and enterprise solutions.
IMMEDIATE ACTION: Critical Security Flaws Found in HPE Aruba Instant On Wi-Fi Devices!
Vibrant screenshot of a hovercraft speeding through a futuristic cityscape in Fast Fusion, showcasing the Nintendo Switch 2's impressive graphics for sci-fi racing.
Fast Fusion Review: The Surprising $15 Racer Redefining Switch 2 Graphics
A person's hand holding a smartphone with a tent in the background, superimposed with a smart TV screen showing crossed-out shopping icons, illustrating a shift away from integrated smart TVs.
Level Up Your Living Room: Why Your TV Needs a Google TV Streamer as Your Smart Home Hub
Close-up of a Google Pixel 8 Pro in a unique color, highlighting its distinctive camera bar design.
Unforgettable Shades: Ranking the Best Google Pixel Phone Colors Ever!