Clickonce

Threat actors are leveraging Microsoft's ClickOnce technology, designed for simplified application deployment, as an attractive vector to spread malware, allowing for easy distribution, minimal user interaction, and installation without elevated privileges on Windows systems.

Threat actors are actively abusing Microsoft's ClickOnce technology, specifically targeting the `.application` and `.appref-ms` file types, to achieve stealthy initial access, execute malicious payloads within legitimate Microsoft processes like rundll32.exe and dfsvc.exe, and establish persistence through its built-in update mechanism, effectively bypassing traditional endpoint security controls.

Threat actors are actively leveraging Microsoft's ClickOnce technology, a legitimate application deployment mechanism, to distribute and execute malware by exploiting its user-friendly deployment process that bypasses administrative privilege requirements.

Threat actors can abuse Microsoft's ClickOnce technology, which allows for simplified application distribution and installation with minimal user interaction and no administrative privileges, to easily spread malware and bypass traditional security controls through a 'click once' deployment.