OneClik: A ClickOnce-Based APT Campaign Targeting Energy, Oil and Gas Infrastructure

    Thursday, June 26, 2025 In: Threat Research Print

    Date: 06/26/2025

    Severity: High

    Summary

    The campaign targets the energy, oil, and gas sectors using phishing and Microsoft ClickOnce exploitation. It shows traits linked to Chinese threat actors, though attribution remains tentative. Using “living off the land” tactics, it hides malicious activity within legitimate cloud and enterprise tools. Three variants deploy a .NET loader ("OneClikNet") to run a Go-based backdoor ("RunnerBeacon") via AWS services, evading standard detection.

    Indicators of Compromise (IOC) List 

    Domains\URLs : 

    https://dyydej4wei7fq.cloudfront.net

    https://b2zei88b61.execute-api.eu-west-2.amazonaws.com

    https://d1ismqgtp337lz.cloudfront.net

    https://dzxwmpi8xepml.cloudfront.net

    https://7dqtdjxfycaqhjvc2qmx5js4aq0juygw.lambda-url.us-east-1.on.aws

    Hash : 

    b06b1a5ea83d7f0883f9388c83359a738bc90e092f21f458232e2f98ed9810b6

    bea96cbf485f32fff1cf5cd9106ada542b978094f524f052f0391c3b916846df

    296030c3a5c7422884d0fda4fbcef7d6cbb2270747190833692315977f7f3c7d

    e61d6e88f1f0068288bb0df226b433915ae295f040475d85f0960f1db0b43ca8

    4007350e16856cb9bb1fc1ca6e359e00b0776a5d1229f83f54e730e1d67ddbce

    18f498b78b02050cbb80c75de035e1985adf8bc838665f0f8a22d3ed3304f73d

    c045503e0cb85588097c6e2484a49c52251ed5e46e9bfc6c73574440534123c9

    048ffb71a1e5abfd6b905b7a4a5171eabe560948963a8c0d6aa14a40d0f6b255

    af8864bde7e2a3b6ff198939c8350c42cea51556b1bb8be6476650ae86c2e669

    d830f27b1dfc75ac50f89a9353fd8aa90103e9a53562475ab69e12d5969b70b2

    4272b9bfc559d60c967fc5e8d17a61ab33aea14522fbfda1341f3953d7d1fb19

    403e7effd2ac31ebcf9181fb4851b309a4448079bd117a90d1e670ac235989de

    0192212b4784ee4e483d162959daf89674cb98aaa6d065e1621a5d26e66a77f3

    2a07875fca7a9c15aa54e82a91800899effadda919e5548513c13586f2c3d7fc

    949c3c79877ce6e4963131e0888c3de4b256bac1de28601c6b01bbfcce7865e0

    86f6d5ebaeb5ea5ac3b952e38951658e716f6065ce5f689ab5cf62fd738525e9

    83f21a03db7cd2c621da3af0b40f6d39e2562af10b59cedfbc46868b054ffac7

    0b61707d1fc8821a95c899de0304a55d549c7252ca24d5978f0989f9593a79c2

    f2c6a9eed870d312be3b7c51998c5326fab17e999d0004931ff84b25233bc9b1

    ea38f13b9ef3ce8351f64ad3685d5fa5fb35e507c71002560f12b24b8c8b546b

    8facceb0b15bbf061ae9ebcb3b97980d90d774c035ece434e4653299afc7babc

    b3dd3b9e8c999fe0e1273a52288af65e1f0997a587f3aa2f13e2a0e6f4383f22

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs : 

    domainname like "https://dyydej4wei7fq.cloudfront.net" or url like "https://dyydej4wei7fq.cloudfront.net" or siteurl like "https://dyydej4wei7fq.cloudfront.net" or domainname like "https://7dqtdjxfycaqhjvc2qmx5js4aq0juygw.lambda-url.us-east-1.on.aws" or url like "https://7dqtdjxfycaqhjvc2qmx5js4aq0juygw.lambda-url.us-east-1.on.aws" or siteurl like "https://7dqtdjxfycaqhjvc2qmx5js4aq0juygw.lambda-url.us-east-1.on.aws" or domainname like "https://b2zei88b61.execute-api.eu-west-2.amazonaws.com" or url like "https://b2zei88b61.execute-api.eu-west-2.amazonaws.com" or siteurl like "https://b2zei88b61.execute-api.eu-west-2.amazonaws.com" or domainname like "https://d1ismqgtp337lz.cloudfront.net" or url like "https://d1ismqgtp337lz.cloudfront.net" or siteurl like "https://d1ismqgtp337lz.cloudfront.net" or domainname like "https://dzxwmpi8xepml.cloudfront.net" or url like "https://dzxwmpi8xepml.cloudfront.net" or siteurl like "https://dzxwmpi8xepml.cloudfront.net"

    Hash : 

    sha256hash IN ("0192212b4784ee4e483d162959daf89674cb98aaa6d065e1621a5d26e66a77f3","b06b1a5ea83d7f0883f9388c83359a738bc90e092f21f458232e2f98ed9810b6","bea96cbf485f32fff1cf5cd9106ada542b978094f524f052f0391c3b916846df","296030c3a5c7422884d0fda4fbcef7d6cbb2270747190833692315977f7f3c7d","e61d6e88f1f0068288bb0df226b433915ae295f040475d85f0960f1db0b43ca8","4007350e16856cb9bb1fc1ca6e359e00b0776a5d1229f83f54e730e1d67ddbce","18f498b78b02050cbb80c75de035e1985adf8bc838665f0f8a22d3ed3304f73d","c045503e0cb85588097c6e2484a49c52251ed5e46e9bfc6c73574440534123c9","048ffb71a1e5abfd6b905b7a4a5171eabe560948963a8c0d6aa14a40d0f6b255","af8864bde7e2a3b6ff198939c8350c42cea51556b1bb8be6476650ae86c2e669","d830f27b1dfc75ac50f89a9353fd8aa90103e9a53562475ab69e12d5969b70b2","4272b9bfc559d60c967fc5e8d17a61ab33aea14522fbfda1341f3953d7d1fb19","403e7effd2ac31ebcf9181fb4851b309a4448079bd117a90d1e670ac235989de","0192212b4784ee4e483d162959daf89674cb98aaa6d065e1621a5d26e66a77f3","2a07875fca7a9c15aa54e82a91800899effadda919e5548513c13586f2c3d7fc","949c3c79877ce6e4963131e0888c3de4b256bac1de28601c6b01bbfcce7865e0","86f6d5ebaeb5ea5ac3b952e38951658e716f6065ce5f689ab5cf62fd738525e9","83f21a03db7cd2c621da3af0b40f6d39e2562af10b59cedfbc46868b054ffac7","0b61707d1fc8821a95c899de0304a55d549c7252ca24d5978f0989f9593a79c2","f2c6a9eed870d312be3b7c51998c5326fab17e999d0004931ff84b25233bc9b1","ea38f13b9ef3ce8351f64ad3685d5fa5fb35e507c71002560f12b24b8c8b546b","8facceb0b15bbf061ae9ebcb3b97980d90d774c035ece434e4653299afc7babc","b3dd3b9e8c999fe0e1273a52288af65e1f0997a587f3aa2f13e2a0e6f4383f22")

    Reference:

    https://www.trellix.com/blogs/research/oneclik-a-clickonce-based-apt-campaign-targeting-energy-oil-and-gas-infrastructure/


    Tags

    MalwareAPTClickOncePhishingBackdoorExploitRunnerBeaconEnergyCritical Infrastructure

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.