{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Daily Security Review","title":"OneClik Cyberattack Campaign Targets Energy Sector Using Microsoft ClickOnce and AWS","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/57120148\"></iframe>","width":"100%","height":180,"duration":4705,"description":"A sophisticated cyber-espionage campaign named OneClik is actively targeting energy, oil, and gas organizations using a combination of legitimate cloud infrastructure and novel attack techniques. The campaign, attributed to an unknown but likely state-affiliated actor, leverages Microsoft's ClickOnce deployment technology to deliver custom Golang-based malware known as RunnerBeacon. The use of AWS APIs for command-and-control (C2) communications allows OneClik to operate within trusted cloud environments, making detection by traditional tools extremely difficult.The campaign reflects broader trends in critical infrastructure cyber threats — particularly the abuse of legitimate services to “live off the land” and the use of advanced anti-analysis techniques to avoid detection. RunnerBeacon exhibits environment-aware behavior, anti-debugging checks, and is compiled in Golang to evade traditional antivirus scanning. While attribution remains inconclusive, indicators suggest a potential link to China-affiliated actors.This episode explores how OneClik fits into the evolving threat landscape and what defenders should know:How Microsoft’s ClickOnce technology is abused in phishing emails for stealthy malware deploymentThe use of AWS cloud services as a trusted C2 infrastructure to bypass detectionRunnerBeacon’s anti-debugging and sandbox-evasion mechanisms, including RAM and domain checksThe targeting of nuclear and energy facilities as part of broader geopolitical cyber pressureRecent ransomware trends in the energy sector, with attacks up 80% year-over-yearThe rise of Golang malware in cyber campaigns and its impact on defensive toolingThe critical importance of supply chain and credential monitoring in energy networksOneClik underscores a modern cyber warfare model: sophisticated, cloud-native, and evasive. As threat actors move deeper into the supply chains and IT layers of critical infrastructure, defenders must evolve beyond perimeter controls to emphasize...","thumbnail_url":"https://img.transistorcdn.com/pL79_MJFeJHamQ_ztImsGmDSMdl27VMk_30TAkieujE/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8yNzg5/ZjlhNzM5Y2M4Njli/NjkxNzgyODA2Nzhi/MDI2ZC5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}