Tag
Threat actors are actively exploiting Microsoft's ClickOnce technology to facilitate malware delivery, achieve persistence, and evade traditional defenses by leveraging its user-friendly deployment, general lack of awareness, and ability to install applications without elevated privileges, often pushing malicious updates via .appref-ms files that execute within legitimate Microsoft process trees such as rundll32.exe and dfsvc.exe.