MalwareUsed by 1 actor

OneDriveDoor

OneDriveDoor is a backdoor used by the China-linked APT31 espionage group. It is explicitly described as using Microsoft OneDrive for command-and-control (C2) communication, allowing the actor to blend malicious traffic with legitimate cloud service usage and complicate detection. Reporting places its use within a broader APT31 campaign targeting Russia’s IT sector, especially contractors and integrators supporting government agencies, with activity observed from at least late 2022 and intensifying in 2024–2025. The wider intrusion set involved targeted phishing, archive-based lures, DLL sideloading, credential theft, local file discovery, and collection of sensitive data from sources such as browsers and Windows Sticky Notes. The malware is associated with APT31, also tracked as Judgment Panda, TA412, and Violet Typhoon. High-confidence details in the provided content do not include specific OneDriveDoor persistence mechanisms, file paths, or standalone indicators of compromise beyond its use of Microsoft OneDrive as C2.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

ZIRCONIUM

OneDriveDoor, a backdoor that uses Microsoft OneDrive as C2

via the hacker newsthehackernews.com

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

dark readingNews

Nov 25, 2025

With Friends Like These: China Spies on Russian IT Orgs

A backdoor malware used by APT31 that leverages Microsoft OneDrive for command-and-control (C2) communications, enabling covert remote access and data exfiltration.

the hacker newsNews

Nov 22, 2025

China-Linked APT31 Launches Stealthy Cyberattacks on Russian IT Using Cloud Services

Backdoor that uses Microsoft OneDrive as its command-and-control channel.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.