<ul data-eligibleForWebStory="true"><li>A new APT malware campaign named OneClik, likely associated with a China-linked actor, has been discovered targeting the energy sector using stealthy ClickOnce and Golang backdoors.</li><li>The campaign utilizes advanced evasion techniques, such as “living off the land” tactics, and deploys Golang backdoors through .NET loaders exploiting Microsoft ClickOnce. Communication is obscured behind AWS services to evade detection.</li><li>The malware campaign abuses Microsoft’s ClickOnce technology to deliver malware through phishing emails, installing the backdoor RunnerBeacon that communicates with C2 servers to execute commands, escalate privileges, and move laterally.</li><li>The OneClik campaign cleverly uses AWS services to mask its traffic, making detection challenging. The backdoor design resembles Cobalt Strike's Go variant, suggesting a sophisticated and stealthy approach in targeting the energy sector.</li></ul>

OneClik APT campaign targets energy sector with stealthy backdoors

Discover more