CrowdStrike researchers published a two-part analysis documenting how Microsoft’s ClickOnce deployment framework — trusted by Windows as a signed, low-privilege software delivery mechanism — is being weaponized as an initial access and persistence platform. Two distinct but overlapping intelligence items this week both address ClickOnce abuse, signaling that this technique is maturing into a repeatable attacker playbook. No CVE is assigned; the risk stems from the architectural design of ClickOnce itself rather than a patchable flaw.