Jun 27, 10:26 AM

Hackers Leverage ClickOnce and Fake Software Sites in New Malware Campaigns

Security researchers are warning of two unrelated but concurrent malware campaigns that rely on trusted brands and legitimate software features to remain undetected. In the first, dubbed “OneClik,” attackers abuse Microsoft’s ClickOnce deployment technology to install Go-based backdoors on Windows machines without requiring administrator privileges or triggering anti-virus alerts. The operation, which hosts its payloads on Amazon Web Services, has singled out companies in the energy, oil and gas industries, according to an analysis published on 27 June. The malware hijacks native Windows processes and imitates the commercial penetration-testing tool Cobalt Strike to deepen its foothold. A separate campaign traced by Netskope Threat Labs attributes recent infections to the Chinese-language group Silver Fox, also known as Void Arachne. The actors registered look-alike domains for popular software—including WPS Office and the AI search tool DeepSeek—to distribute malicious MSI installers. The installers sideload a rogue DLL that launches Sainbox, a variant of the Gh0st remote-access trojan, and an open-source kernel driver dubbed Hidden, giving the intruders data-exfiltration capabilities and the means to conceal their presence on compromised PCs. The disclosures come as broader industry data point to a rise in brand-spoofing attacks. Kaspersky said phishing and malware files impersonating productivity and AI tools such as Zoom, Microsoft Office and ChatGPT targeted 8,500 small and midsize businesses in early 2025, with ChatGPT-themed lures alone jumping 115 percent. Analysts say the trend underscores the need for stricter software-adoption controls and vigilance over seemingly routine downloads.

#Microsoft #ClickOnce #Go #Windows #Amazon Web Services #Cobalt Strike #Netskope Threat Labs #Silver Fox #Void Arachne #WPS Office #AI #MSI #Sainbox #Gh0st #Hidden #Kaspersky #Zoom #Microsoft Office #ChatGPT

Written with ChatGPT .

Hackers Leverage ClickOnce and Fake Software Sites in New Malware Campaigns

Sources

Additional media

Similar Stories