Cybersecurity researchers have uncovered the OneClik campaign, which uses Microsoftโs ClickOnce technology and custom Golang backdoors to target energy sector organizations. The campaign exhibits tactics associated with Chinese threat actors, employing evasive โliving-off-the-landโ methods and sophisticated C2 communication. #ClickOnce #RunnerBeacon
Keypoints
- The OneClik campaign targets organizations in the energy, oil, and gas sectors using phishing and malicious ClickOnce applications.
- The campaign leverages a .NET loader and a Golang backdoor called RunnerBeacon for stealth and control.
- RunnerBeacon communicates with attacker-controlled infrastructure through multiple protocols, including HTTP, WebSockets, and SMB.
- Variants of OneClik have evolved to enhance stealth and operational capabilities, with multiple versions observed in 2025.
- The activity is linked to Chinese-affiliated threat groups but lacks formal attribution to specific actors.
Read More: https://thehackernews.com/2025/06/oneclik-malware-targets-energy-sector.html