APT Group Exploits Microsoft ClickOnce to Deploy Stealthy Malware via Trusted Applications
June 27th, 2025
Severity Level: Medium
Technical Details
Campaign Name: OneClik.
Severity: Medium.
Affected Technology: Microsoft ClickOnce (.application installers).
Initial Vector: Phishing emails and compromised infrastructure.
Payload Delivery: Hosted on attacker-controlled web servers, often with signed certificates or disguised within legitimate content.
Malware Capabilities: Data exfiltration, credential harvesting, keylogging, lateral movement, and persistent access.
Attackers use ClickOnce to establish a trusted installation process that bypasses security warnings and alerts. Users are prompted to run or install what appears to be a normal application. Behind the scenes, the ClickOnce file references a malicious payload (often a .dll or .exe), which executes upon installation. The execution chain may also involve the use of runas and PowerShell for privilege escalation. Trellix analysis indicates that threat actors target industrial control systems (ICS), particularly in the energy and utilities sectors, by taking advantage of the limited endpoint security and user training gaps in these systems.
Our Cyber Threat Intelligence Unit recently identified a new Advanced Persistent Threat (APT) campaign that exploits Microsoft's ClickOnce deployment technology. This APT delivers malware targeting critical infrastructure sectors, including energy, oil, and gas. The campaign, tracked as OneClik by Trellix researchers, exploits the ClickOnce mechanism to stealthily execute malicious payloads through Microsoft-signed installation packages. The attackers distribute weaponized .application files (ClickOnce installers) via phishing emails or compromised websites. These files disguise themselves as legitimate Microsoft applications and exploit user trust to execute embedded malware without triggering typical security alerts. This campaign illustrates how APT actors are adapting their techniques to circumvent modern security defenses by taking advantage of trusted tools within the Windows ecosystem.
Impact
If successful, this campaign’s impact includes:
Unauthorized access to critical infrastructure systems.
Credential theft and lateral movement within industrial networks.
Potential disruption of energy or operational technology environments.
Exfiltration of sensitive enterprise or control system data.
Establishment of long-term persistence mechanisms that evade detection.
Use of trusted Microsoft infrastructure to bypass user suspicion and security controls.
Using ClickOnce as a delivery method makes this threat especially hard to detect with standard AV and EDR tools because the process seems legitimate and user-initiated. The attack also raises the risk of supply chain compromise due to trusted installer behavior, further complicating detection with conventional AV and EDR solutions.
Detection Method
To detect signs of this threat:
Inspect ClickOnce download and execution logs from browsers or email attachments, especially if triggered by phishing campaigns.
Monitor PowerShell activity and command-line invocations initiated after ClickOnce execution for signs of privilege escalation.
Review web proxy, firewall, and DNS logs for access to suspicious domains and unrecognized .application URLs.
Identify untrusted installations from users who typically do not run admin-level applications.
Check for system persistence mechanisms, such as unexpected registry keys, scheduled tasks, or unknown startup programs that may have been installed during app execution.
Correlate user behavior logs with installation paths to identify deviations from typical software usage patterns.
Indicators of Compromise
Type | Indicator | Description |
SHA256 File Hash | ba9cf6a733d207df0b35153e37b8963a5c49091ea420fb31786d404ebf4e78d3 | Hash of the .application file used to launch malware
|
IP Address | 192.227.192.189 | Hosting malicious application payloads |
URL | http://energy-login-update[.]com/app.application | Malicious ClickOnce installer delivery URL |
Domain | Update-secureportal[.]net | Controlled by a threat actor for C2 or download functionality |
Recommendations
Block ClickOnce file types (.application) at email gateways, web filters, and file transfer interfaces to reduce the number of delivery vectors.
Alert on ClickOnce launches and child processes via SIEM/XDR tools, especially when combined with PowerShell or scripting behaviors.
Implement URL and domain reputation filtering to block outbound communication to known malicious infrastructure.
Educate employees and IT/OT personnel about the dangers of application prompts that initiate downloads from unknown sources.
Enforce application allow-listing policies to prevent unauthorized installations on critical infrastructure systems.
Limit outbound connections and data flows from ICS/OT networks to prevent data exfiltration and external beaconing.
Perform threat hunting and behavior analysis to detect low-and-slow intrusion techniques used by APTs.
Regularly update endpoint and email security definitions to include the latest IOCs and detection patterns.
Conclusion
The OneClik campaign highlights the increasing sophistication of APT actors in utilizing legitimate deployment technologies for malicious purposes. By exploiting Microsoft’s ClickOnce framework, a trusted and user-friendly method for software installation, threat actors can deliver malware in ways that often bypass both user suspicion and technical safeguards.
This campaign’s focus on energy, oil, gas, and ICS/OT environments underscores the risk of major disruption to national infrastructure and operations. Security teams must adopt a proactive defense posture that includes strict control over how executables are delivered, improved user education, and continuous behavioral monitoring. Quickly identifying and responding to suspicious installer activity can significantly reduce the risk of a breach. As this threat continues to develop, sharing threat intelligence and implementing layered defense strategies will be essential for countering future attacks that use similar tactics.