HOMETHREATSOndritols
APT / THREAT GROUP

Ondritols

3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to Symantec, this malware has been deployed against IT services companies in the U.S. and Europe. A multi-stage backdoor, the first stage is a downloader that authenticates to Microsoft Graph API and downloads the second stage payload from OneDrive and executes it. The main payload will download a publicly available file from GitHub. It will then create a folder in OneDrive named deviceId_n_<ip address> for each infected machine and upload a file to OneDrive to signal the attackers the status of a new infection.

Threat Analysis

Ondritols is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases3

Also Known As

OndritolsOnedrivetoolswin.ondritols

External Intelligence

Malpedia: win.ondritols

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Ondritols — APT / Threat Group | Threat Intelligence | CTIWATCH.COM