Do any of the major info stealers create anonymous onedrive share links?

Out of curiosity, has anyone observed this behavior with any of the current crop of info stealers? I have a hypothesis that some of them may be creating these links (perhaps via a powershell API) and then sending them back to the C2 server. This would create some sort of persistent access to data even after a password change. I've scanned all the deepdive whitepapers and haven't seen any references to this.

access anonymous api back change curiosity current data info info stealers links major malware may onedrive password persistent powershell server share sort stealers whitepapers