Keypoints
- Team AXON identified an active campaign named “VEILDrive” that targets organizations using Microsoft SaaS services.
- The attacker used Microsoft Teams for spear-phishing and Quick Assist for interactive remote access to victim machines.
- Malicious files were hosted on SharePoint and the main implant is a Java .jar (Cliento.jar / “ODC2”) that includes OneDrive-based C2 functionality.
- The malware contains hard-coded Entra ID credentials to authenticate and access attacker-controlled OneDrive locations for command exchange.
- Persistence was achieved via scheduled tasks and a Run registry key; an Azure VM served as an HTTPS socket C2 fallback.
- The Java implant executed PowerShell commands (via jPowerShell) and performed enumeration, file transfer, and remote command execution.
- Team AXON reported the findings to Microsoft and reached out to impacted organizations to help contain the campaign.
MITRE Techniques
- [T1071] Initial Access – Used Microsoft Teams spear-phishing to lure victims into interaction and access. [‘Spear-phishing via Microsoft Teams to lure victims.’]
- [T1059] Execution – The Java-based implant runs PowerShell commands to perform actions on the host. [‘Execution of Java-based malware using PowerShell commands.’]
- [T1053] Persistence – The actor created scheduled tasks to ensure repeated execution of downloaded tools. [‘Creation of scheduled tasks for malware persistence.’]
- [T1071] Command and Control – The malware uses OneDrive/Graph API as a novel C2 channel to send and receive commands/files. [‘Utilizes OneDrive for command and control communications.’]
- [T1041] Exfiltration – SharePoint was used to host and distribute malicious payloads and could facilitate data transfer. [‘Use of SharePoint to host and share malicious files.’]
Indicators of Compromise
- [Entra ID tenants] Attacker-owned tenants – C5f077f6-5f7e-41a3-8354-8e31d50ee4d, 893e5862-3e08-434b-9067-3289bec85f7d
- [Azure AD app/client IDs] Malicious app registrations – B686e964-b479-4ff5-bef6-e360321a9b65, 2c73cab1-a8ee-4073-96fd-38245d976882
- [Domains] OneDrive/tenant domains used for C2/hosting – SafeShift390[.]onmicrosoft[.]com, GreenGuard036[.]onmicrosoft[.]com
- [File hashes] Malware and RMM tool SHA256 – a515634efa79685970e0930332233aee74ec95aed94271e674445712549dd254 (ROMServer.exe), 7f61ff9dc6bea9dee11edfbc641550015270b2e8230b6196e3e9e354ff39da0e (ROMFUSClient.exe), and 3 more hashes
- [File names] Key binaries observed – Cliento.jar (Java implant / “ODC2”), ROMServer.exe (LiteManager RMM)
- [IP addresses] C2 / hosting infrastructure – 40.90.196[.]221, 40.90.196[.]228, 38.180.136[.]85, and 1 more IP (213.87.86[.]192)
Hunters’ Team AXON traced VEILDrive back to social-engineered access through Microsoft Teams and rapid escalation to interactive control using Quick Assist. The actor then used SharePoint links to deliver zipped tools—including an RMM (ROMServer.exe/LiteManager) and the main Java implant (Cliento.jar, dubbed “ODC2”)—which was launched with a bundled JDK.
The Cliento.jar implant is notable for two parallel C2 channels: a classic HTTPS socket to an Azure VM and a novel OneDrive/Graph-based channel. The Java code contains hard-coded Entra ID refresh tokens and client credentials that the malware uses to access attacker-owned OneDrive storage, where it reads/writes UUID-named files (UUID, cf_UUID, rf_UUID) to receive commands and return results. Command execution is performed via a jPowerShell wrapper, and the implant supports file transfer, screenshots, and remote command execution.
Despite the malware’s lack of obfuscation, it bypassed detection by a leading EDR and all VirusTotal engines in the reported case, highlighting gaps in telemetry and detection of cloud-abusing C2 techniques. Team AXON shared the IOCs and hunting queries with Microsoft and affected parties and recommends tight controls on external Teams access, whitelisting remote-admin tools, and proactive hunting for javaw→PowerShell spawns and unusual SharePoint/OneDrive activity.
Read more: https://www.hunters.security/en/blog/veildrive-microsoft-services-malware-c2#title5