A new espionage tool dubbed NotDoor, attributed to the Russian state-backed APT28 (Fancy Bear), has been identified targeting companies across various NATO countries. Unlike traditional backdoors, NotDoor is embedded within Microsoft Outlook using VBA macros, allowing it to monitor incoming emails for specific trigger phrases. When activated, it enables the attackers to upload, download, and execute commands, making Outlook a covert communication channel.
The infection chain begins with a DLL side-loading technique via OneDrive’s onedrive.exe, which executes a malicious DLL (SSPICLI.dll). This disables macro security protections and installs NotDoor, which uses Base64-encoded PowerShell scripts to establish persistence, evade detection, and communicate with a remote attacker-controlled site.
The encoded PowerShell command. Source: lab52.io.
Once active, NotDoor listens for emails containing a trigger word such as “Daily Report.” Upon detection, it extracts embedded commands and exfiltrates or delivers files via email, using a custom encryption scheme to hide stolen data. It stages temporary files in a hidden %TEMP%\Temp directory, sends them to a Proton Mail address, then deletes them to cover its tracks.
The backdoor supports four commands:
cmd: Execute commands and return output via emailcmdno: Execute commands silentlydwn: Exfiltrate files as email attachmentsupl: Drop files on the victim’s machine
This campaign reflects a broader trend in abusing legitimate tools and cloud services for stealth. The report also draws attention to related activity by other groups, including Gamaredon (APT-C-53) using Telegram’s Telegraph as a dead-drop resolver, and the exploitation of Microsoft Dev Tunnels to rotate command-and-control (C2) infrastructure. This strategy offers attackers near-zero exposure and IP masking via Microsoft’s trusted infrastructure.
Additionally, the campaign includes the use of fake Cloudflare Workers domains to deliver malware like PteroLNK, capable of USB propagation and multi-layered evasion techniques, from registry obfuscation to cloud-based payload delivery.
APT28’s NotDoor operation demonstrates a new level of stealth, leveraging Microsoft Outlook as a low-noise, high-control malware interface. Defenders should closely monitor macro behavior in Office applications and scrutinize anomalous email activity—especially in business-critical apps like Outlook—to detect embedded persistence mechanisms before they evolve into full-scale breaches.
