Mastodawn

📢 SideWinder APT cible l’Asie du Sud via PDF/ClickOnce et DLL sideloading pour déployer StealerBot
📝 Selon le Trellix Advanced Research Center (blog de recherche), une campagne d’e...
📖 cyberveille : https://cyberveille.ch/posts/2025-10-23-sidewinder-apt-cible-lasie-du-sud-via-pdf-clickonce-et-dll-sideloading-pour-deployer-stealerbot/
🌐 source : https://www.trellix.com/blogs/research/sidewinders-shifting-sands-click-once-for-espionage/
#ClickOnce #DLL_sideloading #Cyberveille

SideWinder APT cible l’Asie du Sud via PDF/ClickOnce et DLL sideloading pour déployer StealerBot

Selon le Trellix Advanced Research Center (blog de recherche), une campagne d’espionnage sophistiquée attribuée à SideWinder APT a visé des entités gouvernementales au Sri Lanka, Pakistan, Bangladesh ainsi que des missions diplomatiques en Inde. L’opération, conduite en plusieurs vagues, combine phishing, chaînes d’infection PDF/ClickOnce et des exploits Word traditionnels. L’attaque commence par des emails piégés contenant des PDF incitant à télécharger de fausses mises à jour Adobe Reader. Ces leurres livrent des applications ClickOnce signées avec des certificats légitimes MagTek, abusés pour un DLL sideloading. Les auteurs ont également recours à des exploits Word (p. ex. CVE‑2017‑0199) dans des scénarios plus classiques.

CyberVeille

hasamba Sep 21

🦠 Malware Analysis
===================

🎯 Threat Intelligence

Executive summary: Recent investigations reveal a repeatable campaign where attackers abuse ConnectWise ScreenConnect installers hosted in open directories to distribute AsyncRAT and a custom PowerShell RAT.
The campaign combines trusted RMM footprints, ClickOnce pivots and payload containers that evade signature-based detection.

Technical details:
• Observed payloads include AsyncRAT and a bespoke PowerShell RAT delivered alongside trojanized ScreenConnect installers.
• Infrastructure enumeration identified multiple hosts (examples:
176.65.139.119, 45.74.16.71, 164.68.120.30) and repeated file names such as logs.ldk, logs.idk, logs.idr ranging from ~60 KB to 3 MB.
• Execution techniques show two distinct code paths: in-memory .NET Assembly.Load for AV‑guarded environments and native injection via libPK.dll::Execute otherwise.
• Persistence mechanisms include scheduled tasks named SystemInstallTask and 3losh with aggressive intervals (every 2–10 minutes).
• Network/C2 tradecraft spans common ports (21/80/111/443) and high ephemeral ranges (30,000–60,000), often wrapped in TLS.

🔹 Attack Chain Analysis
• Initial Access / Phishing: ClickOnce pivots (e.g., police.html → galusa.ac.mz → dual.saltuta.com) delivering a launcher from /Bin/ paths.
• Download: Trojanized ScreenConnect installer retrieved from open directory hosting.
• Execution: Dual paths — Assembly.Load into memory or libPK.dll native injection.
• Persistence: Creation of scheduled tasks with short recurrence.
• C2 / Telemetry: AsyncRAT beaconing over standard and ephemeral ports with TLS.

Impact & analysis: Abusing legitimate RMM installers introduces supply‑chain‑like risk; trusted installer footprints lower detection fidelity and enable long dwell times. Fresh or repackaged containers missing from VirusTotal indicate active re‑use and rapid churn.

Detection guidance:
• Monitor for creation of scheduled tasks named SystemInstallTask/3losh and unusual recurrence intervals.
• Alert on processes performing .NET Assembly.Load from nonstandard locations and on native DLLs named libPK.dll performing injection-like behaviors.
• Hunt for open directory listings exposing logs.ldk|logs.idk|logs.idr and ClickOnce /Bin/ URL patterns.

Mitigations:
• Harden RMM deployment processes, restrict installer hosting and validate installer hashes.
• Block or monitor suspicious open directory access and implement strict egress controls for ephemeral port ranges.
• Enforce application allowlisting and endpoint behavioral detections for in-memory assembly loads and DLL injection.

🔹 AsyncRAT #ScreenConnect #ClickOnce #RMM #C2

🔗 Source: https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns

AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories

Research on AsyncRAT campaigns using trojanized ScreenConnect installers and open directories, exposing resilient attacker infrastructure and C2 tactics. Learn more.

CyberVeille.ch Jun 26, 2025

📢 Campagne malveillante OneClik cible les secteurs de l'énergie, du pétrole et du gaz
📝 L'article de Bleeping Computer rapporte une campagne malveillante sophistiquée baptisé...
📖 cyberveille : https://cyberveille.ch/posts/2025-06-26-campagne-malveillante-oneclik-cible-les-secteurs-de-l-energie-du-petrole-et-du-gaz/
🌐 source : https://www.bleepingcomputer.com/news/security/oneclik-attacks-use-microsoft-clickonce-and-aws-to-target-energy-sector/
#ClickOnce #Golang #Cyberveille

Campagne malveillante OneClik cible les secteurs de l'énergie, du pétrole et du gaz

L’article de Bleeping Computer rapporte une campagne malveillante sophistiquée baptisée OneClik qui cible spécifiquement les secteurs de l’énergie, du pétrole et du gaz. Cette campagne exploite l’outil de déploiement logiciel ClickOnce de Microsoft pour infiltrer les systèmes des organisations visées. Une fois à l’intérieur, elle utilise des portes dérobées développées en Golang, un langage de programmation connu pour sa capacité à produire des logiciels légers et rapides. Les chercheurs ont mis en évidence la nature ciblée de cette attaque, qui démontre une compréhension approfondie des infrastructures et des systèmes utilisés par les entreprises du secteur énergétique. Les conséquences potentielles incluent des perturbations opérationnelles majeures et des risques accrus pour la sécurité des données sensibles.

CyberVeille

The DefendOps Diaries Jun 25, 2025

Cybercriminals are now using everyday tools like Microsoft ClickOnce and AWS as stealthy backdoors into energy companies—imagine a virtual master key that bypasses security. Curious how this digital Trojan horse works?

https://thedefendopsdiaries.com/understanding-the-oneclik-cyber-threat-a-simplified-guide/

#oneclik
#cybersecurity
#clickonce
#aws
#energysector

Understanding the OneClik Cyber Threat: A Simplified Guide

Explore the OneClik cyber threat using ClickOnce and AWS to target the energy sector with advanced evasion techniques.

The DefendOps Diaries

Alvin Ashcraft 🐿️Nov 4, 2024

Packaging an Uno Platform app by Steve Bilogan.

#unoplatform #mobiledev #windowsdev #macos #dotnet #csharp #xaml #linux #clickonce
https://kazo0.dev/uno-general/2024/11/02/packaging.html

Packaging an Uno Platform app

With the recent release of Uno Platform 5.5, there has been major work done to improve the packaging and publishing experience for Uno Platform apps. If you’ve ever tried packaging up your cross-platform apps for distribution, you’ll know how much of a pain it can be. Each platform has its own set of requirements and tools, and it can be a real headache to get everything set up correctly.

dotnet new bald

Miha Markič Mar 27, 2024

Who on Earth limited mage.exe (#clickonce signing tool) to CurrentUser certificate store? #dotnet

susie Sep 12, 2023

Anyone knows where #clickonce installer software save their preferences to? I'm wrestling with an issue about Plumb from Palatial software being unable to save/change its settings. They always revert to what I had saved years ago on this same machine (so they ARE saved somewhere! Just no idea where).

The application is unsigned and I've read that could be why it is unable to alter its configuration. Sadly it has no source available, so I cannot sign it myself and the last update was over ten years ago with no contact address provided.

The ClickOnce installer has installed the program to "C:\Users\User\AppData\Local\Apps\2.0\D2KJ0OO7.GAJ\TRH8M9Q4.L66\plumb.app_8d092e02721c9040_0001.0000_d18604039688d954\Plumb.exe" (ah so readable and easily found path! Got to love this publishing method!), but there is no configuration file there.

RegScanner (from nirsoft) lists a bunch of REG_BINARY keys under HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\... but I don't think any of them are related to the actual configuration problem and instead are just about the ClickOnce deployment. (And being all in binary...)

Akkoma

WinFuture.de Aug 15, 2023

#Microsoft hat weitere Probleme nach den jüngsten Updates für Windows 10 bestätigt und eine Lösung angekündigt. Nutzer meldeten einen Erkennungsfehler von Apps, die mit #ClickOnce bereitgestellt werden. https://winfuture.de/news,137925.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

Microsoft startet "Known Issue Rollback"-Update für Windows 10-Bug

Microsoft hat weitere Probleme nach den jüngsten Updates für Windows 10 bestätigt und eine Lösung angekündigt. Nach den optionalen Updates vom Juli und dem Patch-Day August kann es sein, dass es zu einem Erkennungsfehler von Anwendungen kommt, die mit ClickOnce bereitgestellt werden.

WinFuture.de