Microsoft’s ClickOnce .NET deployment framework is being weaponized as a full attack chain: phishing lures deliver .application or .appref-ms files that execute under the trusted dfsvc.exe process, establish persistence via ClickOnce’s native auto-update mechanism, and rotate C2 infrastructure without reinfecting the host. No CVE has been assigned because this is feature abuse rather than a software vulnerability; no patch is available, and mitigation is entirely configuration and detection-based. Any Windows environment where users receive email is potentially exposed.