Russian APT28 Deploys “NotDoor” Outlook Backdoor Against Companies in NATO Countries - The Hacker News

Russian APT28 Deploys “NotDoor” Outlook Backdoor Against Companies in NATO Countries Ravie LakshmananSep 04, 2025Cybersecurity / Malware The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries. NotDoor "is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word," S2 Grupo's LAB52 threat intelligence team said. "When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer." The artifact gets its name from the use of the word "Nothing" within the source code, the Spanish cybersecurity company added. The activity highlights the abuse of Outlook as a stealthy communication, data exfiltration, and malware delivery channel. The exact initial access vector used to deliver the malware is currently not known, but analysis shows that it's deployed via Microsoft's OneDrive executable ("onedrive.exe") using a technique referred to as DLL side-loading. This leads to the execution of a malicious DLL ("SSPICLI.dll"), which then installs the VBA backdoor and disables macro security protections. Specifically, it runs Base64-encoded PowerShell commands to perform a series of actions that involve beaconing to an attacker-controlled webhook[.]site, setting up persistence through Registry modifications, enabling macro execution, and turning off Outlook-related dialogue messages to evade detection. NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives. It then proceeds to create a folder at the path %TEMP%\Temp if it does not exist, using it as a staging folder to store TXT files created during the course of the operation and exfiltrate them to a Proton Mail address. It also parses incoming messages for a trigger string, such as "Daily Report," causing it to extract the embedded commands to be executed. The malware supports four different commands - cmd, to execute commands and return the standard output as an email attachment cmdno, to execute commands dwn, to exfiltrate files from the victim’s computer by sending them as email attachments upl, to drop files to the victim's computer "Files exfiltrated by the malware are saved in the folder," LAB52 said. "The file contents are encoded using the malware’s custom encryption, sent via email, and then deleted from the system." The disclosure comes as Beijing-based 360 Threat Intelligence Center detailed Gamaredon's (aka APT-C-53) evolving tradecraft, highlighting its use of Telegram-owned Telegraph as a dead-drop resolver to point to command-and-control (C2) infrastructure. The attacks are also notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms), a service that allows developers to securely expose local web services to the internet for testing and debugging purposes, as C2 domains for added stealth. "This technique provides twofold advantages: first, the original C2 server IP is completely masked by Microsoft's relay nodes, blocking threat intelligence tracebacks based on IP reputation," the cybersecurity company said. "Second, by exploiting the service's ability to reset domain names on a minute-by-minute basis, the attackers can rapidly rotate infrastructure nodes, leveraging the trusted credentials and traffic scale of mainstream cloud services to maintain a nearly zero-exposure continuous threat operation." Attack chains entail the use of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK, which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional payloads. "This attack chain demonstrates a high level of specialized design, employing four layers of obfuscation (registry persistence, dynamic compilation, path masquerading, cloud service abuse) to carry out a fully covert operation from initial implantation to data exfiltration," 360 Threat Intelligence Center said. Update Kroll, in a separate analysis published on September 5, 2025, said it observed the NotDoor malware in a cyber espionage campaign targeting an unnamed entity. The risk advisory firm's threat intelligence team is tracking the cluster under the name KTA007 and the malware as GONEPOSTAL. "The campaign is a good example of living-off-the-land, using common business tools and methods of communication for command and control," researchers Marc Messer and Dave Truman said. "Interception of email communications and a platform for tool ingress over legitimate means enables a stealthy manner of access which could be difficult to detect." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  APT28, cybersecurity, Malware, Microsoft Outlook, NATO, OneDrive, powershell, VBA Macros Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Load More ▼ Popular Resources [Demo] Discover SaaS Risks and Monitor Every App in Your Environment SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats [Guide] Learn How to Govern AI Agents With Proven Market Guidance Detect AI-Driven Threats Faster With Full Network Visibility