APT / THREAT GROUP
Ondritols
3
aliases
Last seen:Mar 17, 2026
Intelligence Profile
According to Symantec, this malware has been deployed against IT services companies in the U.S. and Europe. A multi-stage backdoor, the first stage is a downloader that authenticates to Microsoft Graph API and downloads the second stage payload from OneDrive and executes it. The main payload will download a publicly available file from GitHub. It will then create a folder in OneDrive named deviceId_n_<ip address> for each infected machine and upload a file to OneDrive to signal the attackers the status of a new infection.
Threat Analysis
Ondritols is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases3
Also Known As
OndritolsOnedrivetoolswin.ondritols
External Intelligence
Malpedia: win.ondritolsResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.