Threat Actors Actively Abusing Microsoft ClickOnce for Stealthy Malware Deployment and Persistence
Threat actors are exploiting Microsoft's ClickOnce technology to deploy malware with minimal user interaction and no elevated privileges, leveraging `.application` or `.appref-ms` files for initial execution, establishing persistence via Startup folders or scheduled tasks, and utilizing ClickOnce's update mechanism for long-term command and control and defense evasion within legitimate Microsoft processes.
CrowdStrike has identified a new wave of abuse targeting Microsoft's ClickOnce technology, which threat actors are weaponizing to deliver malware and establish persistent access. The abuse, detailed in a blog post published on June 18, 2026, highlights how adversaries exploit ClickOnce's user-friendly deployment and inherent trust to bypass traditional security mechanisms. Attackers entice users to click on malicious .application files or web buttons, leading to the installation of malware without requiring administrative privileges. This method allows payloads to execute within legitimate Microsoft processes like rundll32.exe and dfsvc.exe, significantly increasing stealth. Furthermore, the built-in update mechanism of ClickOnce applications is being leveraged to maintain remote access and update malicious components, enabling long-term compromise and control over affected systems.
Attack Chain
- Initial Access: Threat actor entices a user to click on a malicious link pointing to a ClickOnce application hosted on a server, often delivered as a
.applicationfile or triggered by a misleading button on a webpage. - Initial Execution: Upon clicking, the ClickOnce deployment service (
dfsvc.exe) downloads and attempts to install the application, which is configured to execute a malicious payload. - Payload Execution: The ClickOnce application launches its embedded malicious payload, frequently utilizing
rundll32.exeto execute arbitrary code or scripts, masking the malicious activity under a legitimate Windows binary. - Persistence (Appref-ms Drop): A malicious
.appref-msshortcut file, representing the deployed ClickOnce application, is dropped into a user's%Users%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\directory. - Persistence (Startup/Scheduled Task): To ensure continued execution, the
.appref-msfile is strategically placed in the Windows Startup folder or a scheduled task is created to automatically open the.appref-msfile upon user logon or at set intervals. - Defense Evasion: The malicious code executes within the context of legitimate Microsoft processes (
dfsvc.exe,rundll32.exe), blending in with normal system activity and avoiding detection by security tools focused on flagging unknown or suspicious executables. - Command and Control / Update: The threat actor leverages the ClickOnce application's built-in update mechanism to push new malicious components, modify command and control (C2) infrastructure, or deploy additional malware to the compromised system.
- Impact: The attacker gains remote access, maintains persistence, and can proceed with objectives such as data exfiltration, lateral movement, or deploying ransomware.
Impact
This ClickOnce abuse provides threat actors with a highly effective method for initial access, persistence, and defense evasion, circumventing security controls that typically scrutinize .exe files. Successful exploitation leads to unauthorized remote access to target systems, allowing attackers to maintain a foothold, update their malware without user prompting, and potentially move laterally across networks. While the brief doesn't specify victim counts or particular sectors, the nature of this attack, requiring minimal user interaction and no elevated privileges, indicates a broad potential impact across any organization using Windows systems.
Recommendation
- Deploy the provided Sigma rule to detect suspicious
.appref-mspersistence mechanisms. - Enable comprehensive
process_creationlogging and monitor for unusual child processes spawned bydfsvc.exeandrundll32.exe. - Monitor
file_eventlogs for the creation of.applicationand.appref-msfiles in atypical user directories or system locations outside of standard software installations. - Enable
scheduled_taskcreation logging and monitor for new tasks that execute.appref-msfiles, which could indicate persistence.
Detection coverage 1
Detect ClickOnce Appref-ms Persistence via Startup Folder
mediumDetects the creation of an '.appref-ms' file in a user's Startup folder, a known technique for ClickOnce persistence.
Detection queries are available on the platform. Get full rules →