Analysis Summary

APT28, the Russian state-sponsored threat group linked to military intelligence, has been observed exploiting Microsoft Outlook with a new backdoor named “NotDoor.” The malware, uncovered by researchers, enables covert communication, data exfiltration, and malware delivery via Outlook.

The name “NotDoor” originates from the use of the word “nothing” within its code. It functions as a VBA macro for Outlook, designed to monitor incoming emails for specific trigger words. When a trigger is detected, the malware allows attackers to execute commands, steal data, and upload files directly through Outlook. Once activated, the email that initiated the process is deleted, leaving little trace.

APT28 deploys NotDoor using a DLL sideloading technique involving Microsoft’s signed OneDrive.exe. Attackers load a malicious DLL (SSPICLI.dll) to bypass macro security and deliver the VBA project. The loader executes Base64-encoded PowerShell commands, performing tasks such as DNS queries through DNSHook, a service provided by Webhook.site previously linked to APT28 operations. To reduce detection, the malware enables macro execution silently, disables alert dialogues, and employs obfuscation by replacing function names with random strings.

The backdoor supports multiple trigger strings, allowing flexibility in activation. Beyond persistence, it provides APT28 actors with the ability to use Outlook emails as a command-and-control (C2) mechanism, sending or receiving data, exfiltrating attachments, and delivering malicious files in a stealthy manner.

Researchers emphasized that NotDoor demonstrates APT28’s ongoing innovation and adaptability in evading defenses, reinforcing the group’s reputation for developing advanced cyber espionage tools. While details on how researchers first detected the malware remain unclear, the discovery highlights the growing risks of email-based exploitation and Outlook abuse by state-backed threat actors.

Impact

• Data Exfiltration
• Sensitive Data Theft
• Command Execution

Indicators of Compromise

SHA1

• 3b80a13199564e3d8a9d26e14defabee136638f8

• a45ab1a9dec488278ee9682735d42d61dfc38b9e

Remediation

• Block all identified threat indicators across security controls to prevent reuse of the malware infrastructure.
• Hunt for indicators of compromise in email, endpoint, and network logs to identify potential infections.
• Restrict or disable VBA macros in Outlook to minimize abuse of scripting capabilities.
• Enable strict DLL loading policies to mitigate DLL sideloading attempts.
• Update Microsoft applications and Windows components to close exploited vulnerabilities.
• Deploy and maintain endpoint detection and response (EDR) solutions to identify malicious PowerShell execution.
• Implement DNS monitoring to detect suspicious queries and abuse of services like Webhook.site.
• Educate users to recognize and report suspicious or unexpected emails with unusual triggers.
• Enforce least privilege access to limit attackers’ ability to execute commands or exfiltrate data.
• Continuously update antivirus and anti-malware signatures to detect evolving backdoor variants.