logo

New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever

ID: ef395941-af72-5b23-afb6-8001f5535003

STIX ID: report--ef395941-af72-5b23-afb6-8001f5535003

Feed Name: Crowdstrike Blog

Threat Score
70/100

Date Published: 2026-06-18

Date Updated: 2026-06-19

Author: Mathilde Venault

...
...

This blog analyzes security risks in Microsoft ClickOnce deployments, detailing how attackers can abuse .application/.appref-ms files, exploit update mechanisms for stealthy payload delivery and persistence, trojanize signed dependencies to evade checks, and discloses a newly identified COM hijacking attack surface; it also outlines detection strategies and mentions CrowdStrike Falcon detection capabilities.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.