Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
UtiliaCS 320x100
UtiliaCS 970x120
Danger for OneDrive users: Infected DLLs hide in shared files

Danger for OneDrive users: Infected DLLs hide in shared files

Redazione RHC : 5 November 2025 12:26

Attackers are using an advanced technique involving sideloading DLLs via the Microsoft OneDrive application. This allows them to execute malicious code undetected by security mechanisms.

The attack uses a modified DLL library as a tool to hijack legitimate Windows processes and ensure persistence on infected systems. This method is particularly effective because it avoids the persistent code changes that signature-based detection systems typically identify.

According to the Kas-sec security advisory, the attackers placed a spoofed version.dll file in the same directory as OneDrive.exe, exploiting the application’s dependency search order.

The technique specifically targets version.dll because many Windows applications, including OneDrive, rely on this library to retrieve file version information. When OneDrive.exe is launched, it loads the malicious DLL from its local directory before searching system directories.

By strategically placing the malicious DLL, attackers are able to execute code within the trusted context of a digitally signed Microsoft application, effectively bypassing security controls designed to monitor for anomalous processes. To maintain stealth and prevent abnormal application terminations, attackers use DLL proxying methods.

The malicious version of the DLL exports the same functions as the legitimate library , forwarding legitimate function calls to the original System32 version of Windows while performing background operations.

This dual functionality ensures that OneDrive.exe continues to function normally, reducing the likelihood of detection by users or security software. The attack uses an advanced hooking technique that leverages exception handling and the PAGE_GUARD memory protection flag.

Instead of traditional inline hooking methods that are easily detected by security tools, this approach intentionally triggers memory exceptions to intercept API calls. When OneDrive.exe attempts to call specific functions like CreateWindowExW, the malicious code captures the execution flow via exception handlers and redirects it to attacker-controlled functions.

The hook rearms itself after each interception using one-step exceptions, maintaining continuous control over the targeted API functions.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli