Microsoft ClickOnce Abused in 'OneClik' Campaign Targeting Energy Sector

A new wave of targeted attacks against critical energy infrastructure is leveraging Microsoft's ClickOnce deployment technology in what researchers are calling the 'OneClik' campaign. The operation demonstrates concerning innovation in attack methodology, blending legitimate cloud services with weaponized application deployment frameworks.

ClickOnce, Microsoft's application deployment technology designed for streamlined software installation, has become an unwitting accomplice in these attacks. Threat actors are abusing its functionality to silently deliver malware payloads to systems in oil and gas companies. The technique bypasses traditional security measures by appearing as legitimate software updates from trusted sources.

The attack chain begins with compromised credentials or spear-phishing emails directing victims to cloud storage platforms hosting malicious ClickOnce applications. When executed, these applications leverage ClickOnce's automatic update capabilities to fetch and install additional malicious components without requiring further user interaction.

What makes the OneClik campaign particularly dangerous is its use of:

Energy sector organizations are advised to implement:

The campaign highlights growing threats to industrial control systems and the need for specialized security measures in critical infrastructure environments. Microsoft has been notified about the abuse of ClickOnce in these attacks, but no immediate changes to the technology have been announced.