CrowdStrike has published a two-part research series documenting how Microsoft’s ClickOnce deployment framework, a built-in Windows and .NET technology, can be weaponized as a malware delivery and persistence channel without requiring administrator privileges or a discrete software vulnerability. No CVE is assigned and no Microsoft patch is available; mitigations are entirely detection- and configuration-based. Any Windows enterprise environment that has not audited ClickOnce usage or blocked .application and .appref-ms file delivery at email and web proxy gateways is exposed.