GONEPOSTAL: New Outlook Backdoor by Russia’s APT28 Uses Email for C2

Kroll has identified a new espionage campaign attributed to Russia’s APT28 (Fancy Bear), involving a custom Outlook macro backdoor called GONEPOSTAL. The malware leverages DLL side-loading and Microsoft Outlook’s VBA macro engine to create a covert email-based command-and-control (C2) channel.

Kroll attributes the campaign to KTA007, more commonly known as Fancy Bear, APT28, or Pawn Storm. As the report highlights, “KTA007, also known as Fancy Bear, APT28, and Pawn Storm, is a state sponsored political and economic espionage group associated with the Russian Military’s Main Intelligence Directorate (GRU) Unit 26165.” The group has a long track record, including the 2016 DNC breach, intrusions against the IOC, and attacks on the Norwegian Parliament.

The intrusion began with two DLLs provided for analysis: SSPICLI.dll and tmp7EC9.dll. The malicious SSPICLI.dll pretends to be Microsoft’s legitimate DLL of the same name. “The malicious DLL uses its export table to forward all 105 exported library functions of the legitimate DLL to the renamed DLL supplied alongside, allowing any application using the malicious DLL to appear to work normally.” Behind the scenes, the attacker’s code executes hidden PowerShell commands, enabling further compromise.

The malicious DLL’s DLLMain function launches encoded PowerShell commands, one of which copies a staged file (testtemp.ini) into the Outlook profile directory as VbaProject.OTM — a crucial step for backdoor activation. Other commands exfiltrate the victim’s username and IP address via DNS and HTTP queries to attacker-controlled infrastructure.

The malware then modifies Windows Registry keys to force Outlook to load malicious macros at startup. For example:

• LoadMacroProviderOnBoot = 1 enables macro loading.
• Level = 1 sets Outlook to “enable all macros.”
• PONT_STRING = “32,” suppresses dialog warnings that would normally alert users to suspicious content.

Once Outlook launches, the malicious VbaProject.OTM file executes. As Kroll explains, “GONEPOSTAL is loaded into Microsoft Outlook via enabling of the registry setting ‘LoadMacroProviderOnBoot,’ which enables the automatic loading of VBA from the VbaProject.OTM file. This results in a backdoor utilizing the email service itself as a C2 channel.”

The backdoor lifecycle includes:

• Startup: Runs on Outlook’s MAPI login event.
• Email Monitoring: Listens for incoming emails via Application_NewMailEx().
• Command Parsing: Identifies special C2 emails with encoded instructions.
• Execution: Runs commands, steals files, and exfiltrates data chunked into email attachments.
• Cleanup: Deletes processed C2 emails from both inbox and deleted folders.

This method allows attackers to “live off the land” by abusing legitimate email traffic, making detection especially challenging.

The malware is designed for espionage, not disruption. Commands include remote file operations, PowerShell execution, and covert file transfers. Data exfiltration uses encoded attachments sent as legitimate-looking emails, blending seamlessly into enterprise mail flows.

Kroll notes, “The campaign is a good example of living-off-the-land, using common business tools and methods of communication for command and control. Interception of email communications and a platform for tool ingress over legitimate means enables a stealthy manner of access which could be difficult to detect.”

APT28 continues to innovate, repurposing Microsoft Outlook itself as a covert backdoor for espionage. With GONEPOSTAL, the group demonstrates a rare but powerful abuse of email platforms for C2, reinforcing its reputation as one of the world’s most capable state-sponsored cyber actors.

Organizations should monitor for unusual Outlook macro activity, suspicious registry edits, and abnormal email behaviors to detect such campaigns early.

Related Posts:

• Microsoft reveals some details of the Russian hacking group’s attack on Ukraine
• Russian GRU’s APT28 Targets Global Logistics Supporting Ukraine Defense
• Excel File Unleashes Sophisticated Cobalt Strike Cyberattack
• LockBit Ransomware: The Hidden Threat in Resume Word Files
• APT28 Cyber Espionage Campaign Targets French Institutions Since 2021