Analysis

A sophisticated cyber campaign, named OneClik, is actively targeting organizations in the energy, oil, and gas sectors, representing a significant threat to critical infrastructure. The attack leverages legitimate enterprise tools, specifically exploiting Microsoft's (MSFT) ClickOnce deployment technology to deliver malware payloads without triggering user account controls, thereby proxying execution through trusted processes. A key element of its stealth is the use of Amazon's (AMZN) legitimate cloud services, including AWS, Cloudfront, and Lambda, for its command and control (C2) infrastructure. This tactic makes malicious traffic exceptionally difficult to distinguish from benign cloud activity, a significant challenge for network defenders. The campaign deploys a custom Golang backdoor, "RunnerBeacon," which researchers at Trellix note is an evolved and stealthier variant of known tools used by threat actors. While attribution remains cautious, the tactics, techniques, and procedures—such as the use of AppDomainManager injection and cloud-based staging previously seen with Alibaba (BABA) and Amazon services—align with those of China-affiliated state actors. The campaign's evolution and use of robust anti-analysis techniques indicate a persistent and advanced adversary focused on long-term espionage or disruption within strategically important industries.