top of page

APT Group Exploits Microsoft ClickOnce to Deploy Stealthy Malware via Trusted Applications

June 27th, 2025

Severity Level: Medium

Technical Details

  • Campaign Name: OneClik.

  • Severity: Medium.

  • Affected Technology: Microsoft ClickOnce (.application      installers).

  • Initial Vector: Phishing emails and compromised infrastructure.

  • Payload Delivery: Hosted on attacker-controlled web servers, often with signed certificates or disguised within legitimate content.

  • Malware Capabilities: Data exfiltration, credential harvesting, keylogging, lateral movement, and persistent access.

Attackers use ClickOnce to establish a trusted installation process that bypasses security warnings and alerts. Users are prompted to run or install what appears to be a normal application. Behind the scenes, the ClickOnce file references a malicious payload (often a .dll or .exe), which executes upon installation. The execution chain may also involve the use of runas and PowerShell for privilege escalation. Trellix analysis indicates that threat actors target industrial control systems (ICS), particularly in the energy and utilities sectors, by taking advantage of the limited endpoint security and user training gaps in these systems.

Our Cyber Threat Intelligence Unit recently identified a new Advanced Persistent Threat (APT) campaign that exploits Microsoft's ClickOnce deployment technology. This APT delivers malware targeting critical infrastructure sectors, including energy, oil, and gas. The campaign, tracked as OneClik by Trellix researchers, exploits the ClickOnce mechanism to stealthily execute malicious payloads through Microsoft-signed installation packages. The attackers distribute weaponized .application files (ClickOnce installers) via phishing emails or compromised websites. These files disguise themselves as legitimate Microsoft applications and exploit user trust to execute embedded malware without triggering typical security alerts. This campaign illustrates how APT actors are adapting their techniques to circumvent modern security defenses by taking advantage of trusted tools within the Windows ecosystem.

Image by ThisisEngineering

Impact

If successful, this campaign’s impact includes:

  • Unauthorized access to critical infrastructure systems.

  • Credential theft and lateral movement within industrial networks.

  • Potential disruption of energy or operational technology environments.

  • Exfiltration of sensitive enterprise or control system data.

  • Establishment of long-term persistence mechanisms that evade detection.

  • Use of trusted Microsoft infrastructure to bypass user suspicion and security controls.

Using ClickOnce as a delivery method makes this threat especially hard to detect with standard AV and EDR tools because the process seems legitimate and user-initiated. The attack also raises the risk of supply chain compromise due to trusted installer behavior, further complicating detection with conventional AV and EDR solutions.

Detection Method

To detect signs of this threat:

  • Inspect ClickOnce download and execution logs from browsers or email attachments, especially if triggered by phishing campaigns.

  • Monitor PowerShell activity and command-line invocations initiated after ClickOnce execution for signs of privilege escalation.

  • Review web proxy, firewall, and DNS logs for access to suspicious domains and unrecognized .application URLs.

  • Identify untrusted installations from users who typically do not run admin-level applications.

  • Check for system persistence mechanisms, such as unexpected registry keys, scheduled tasks, or unknown startup programs that may have been installed during app execution.

  • Correlate user behavior logs with installation paths to identify deviations from typical software usage patterns.

Indicators of Compromise

Type

Indicator

Description

SHA256 File Hash

ba9cf6a733d207df0b35153e37b8963a5c49091ea420fb31786d404ebf4e78d3


Hash of the .application file used to launch malware

 

IP Address

192.227.192.189

Hosting malicious application payloads

URL

http://energy-login-update[.]com/app.application

Malicious ClickOnce installer delivery URL

Domain

Update-secureportal[.]net

Controlled by a threat actor for C2 or download functionality


mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Block ClickOnce file types (.application) at email gateways, web filters, and file transfer interfaces to reduce the number of delivery vectors.

  • Alert on ClickOnce launches and child processes via SIEM/XDR tools, especially when combined with PowerShell or scripting behaviors.

  • Implement URL and domain reputation filtering to block outbound communication to known malicious infrastructure.

  • Educate employees and IT/OT personnel about the dangers of application prompts that initiate downloads from unknown sources.

  • Enforce application allow-listing policies to prevent unauthorized installations on critical infrastructure systems.

  • Limit outbound connections and data flows from ICS/OT networks to prevent data exfiltration and external beaconing.

  • Perform threat hunting and behavior analysis to detect low-and-slow intrusion techniques used by APTs.

  • Regularly update endpoint and email security definitions to include the latest IOCs and detection patterns.

Conclusion

The OneClik campaign highlights the increasing sophistication of APT actors in utilizing legitimate deployment technologies for malicious purposes. By exploiting Microsoft’s ClickOnce framework, a trusted and user-friendly method for software installation, threat actors can deliver malware in ways that often bypass both user suspicion and technical safeguards. 

This campaign’s focus on energy, oil, gas, and ICS/OT environments underscores the risk of major disruption to national infrastructure and operations. Security teams must adopt a proactive defense posture that includes strict control over how executables are delivered, improved user education, and continuous behavioral monitoring. Quickly identifying and responding to suspicious installer activity can significantly reduce the risk of a breach. As this threat continues to develop, sharing threat intelligence and implementing layered defense strategies will be essential for countering future attacks that use similar tactics.

bottom of page