{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/abuse/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ClickOnce technology"],"_cs_severities":["medium"],"_cs_tags":["clickonce","windows","application-deployment","abuse","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCrowdStrike has detailed how Microsoft's ClickOnce technology, designed to simplify application deployment and updates, is being abused by threat actors. ClickOnce allows developers to package and distribute applications that users can install and update with minimal interaction and often without requiring administrative privileges. While beneficial for legitimate software distribution, this user-friendly process creates a significant security vulnerability, as it provides an easy vector for threat actors to deliver malware. This initial part of CrowdStrike's series explains the internal workings of ClickOnce, from application publishing to its installation on user endpoints, laying the groundwork for understanding how adversaries can weaponize this legitimate feature for malicious purposes. The article highlights that the 'click once' simplicity, combined with the lack of administrative privilege requirement, makes it an attractive target for initial access and execution of arbitrary code on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker develops a malicious application and uses the ClickOnce publishing process within Visual Studio to generate the necessary deployment files (e.e., \u003ccode\u003e.application\u003c/code\u003e manifest, \u003ccode\u003e.manifest\u003c/code\u003e, and application binaries).\u003c/li\u003e\n\u003cli\u003eThe attacker hosts these malicious ClickOnce deployment files on a controlled web server, preparing for distribution.\u003c/li\u003e\n\u003cli\u003eVictims are lured (e.g., via phishing campaigns, compromised websites, or malvertising) to click a link that points directly to the attacker-controlled \u003ccode\u003e.application\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eUpon clicking, the user's system downloads the \u003ccode\u003e.application\u003c/code\u003e file, and the legitimate ClickOnce Deployment Support Service (\u003ccode\u003edfsvc.exe\u003c/code\u003e) initiates the deployment process.\u003c/li\u003e\n\u003cli\u003eThe ClickOnce wizard prompts the user for confirmation to install the application; if the publisher's signature cannot be verified (or if it's spoofed), the user is still prompted.\u003c/li\u003e\n\u003cli\u003eIf the user confirms the installation, \u003ccode\u003edfsvc.exe\u003c/code\u003e downloads the application components and installs the malicious software into the user's ClickOnce application cache, often without requiring elevated administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe malicious ClickOnce application executes, leveraging its legitimate deployment mechanism to run the attacker's payload (e.g., information stealer, ransomware, backdoor, or other malware).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via malicious ClickOnce applications can lead to a wide range of impacts, including data theft, ransomware deployment, establishment of persistent access, and further compromise of the victim's network. Because ClickOnce deployments often do not require administrative privileges, attackers can bypass some traditional security controls, enabling them to execute malicious code in the context of the logged-on user. The ease of deployment and potential for social engineering through deceptive prompts means a single click can compromise an endpoint, leading to significant financial loss, operational disruption, and reputational damage for affected organizations and individuals. The article does not specify victim counts or targeted sectors in this part.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003edfsvc.exe\u003c/code\u003e activity, as this service orchestrates ClickOnce application deployments.\u003c/li\u003e\n\u003cli\u003eImplement controls to restrict the download and execution of \u003ccode\u003e.application\u003c/code\u003e files from untrusted internet sources.\u003c/li\u003e\n\u003cli\u003eEnsure robust endpoint security solutions are in place to detect malicious payloads launched by ClickOnce applications.\u003c/li\u003e\n\u003cli\u003eEducate users to scrutinize ClickOnce deployment prompts, particularly regarding publisher identity, before confirming any installation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T18:52:18Z","date_published":"2026-07-07T18:52:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse/","summary":"Threat actors are increasingly abusing Microsoft's ClickOnce application deployment technology, which allows for simplified software installation without administrative privileges, to trick users into deploying malicious applications, leveraging its user-friendly mechanism to facilitate malware delivery and execution.","title":"New Abuse of the ClickOnce Technology: Part 1","url":"https://feed.craftedsignal.io/briefs/2026-07-clickonce-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed - Abuse","version":"https://jsonfeed.org/version/1.1"}