EXECUTIVE SUMMARY
Security researchers and incident responders are observing active abuse of Microsoft OneDrive binaries (e.g., OneDrive.exe / OneDriveUpdater.exe) to perform DLL side-loading: attackers place a malicious DLL beside a trusted OneDrive binary (or otherwise influence the DLL search path) so Windows loads the attacker’s DLL and executes malicious code in the context of a signed/legitimate process. This technique enables stealthy code execution, persistence, and defense evasion and has been observed in cryptojacking and broader intrusion activity.
- Vulnerability: DLL vulnerability
- Affected Sector: All sectors using Microsoft OneDrive in Windows environments
- Affected Product: Microsoft OneDrive / OneDriveUpdater
- Severity: High
- Published Date: Nov 05, 2025
TECHNICAL DETAILS
- Attacker obtains write access to a folder that will be searched by the OneDrive binary at load time (for example, user profile folders, mounted drives, or the same directory as the executable) and drops a malicious DLL whose name matches a legitimately resolved import.
- Trigger / execution: When OneDrive.exe / OneDriveUpdater.exe starts or when the updater runs, Windows loader resolves imports and loads the malicious DLL instead of the expected system DLL. The malicious DLL runs inside the OneDrive process.
- Post-execution activity: The DLL may spawn child processes, drop additional payloads, reach out to C2, install persistence artifacts, harvest credentials,…..
