Ethical Hacking News
Russian APT28 has been linked to a new Microsoft Outlook backdoor called NotDoor, which is being used to exfiltrate sensitive data from companies in NATO member countries. The malware is designed as an obfuscated VBA project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives.
NotDoor supports four different commands - cmd, to execute commands and return the standard output as an email attachment; cmdno, to execute commands; dwn, to exfiltrate files from the victim's computer by sending them as email attachments; and upl, to drop files to the victim's computer. The malware is deployed via Microsoft's OneDrive executable using a technique referred to as DLL side-loading.
The attacks are notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms) and bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK, which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional payloads. The attack chain demonstrates a high level of specialized design, employing four layers of obfuscation (registry persistence, dynamic compilation, path masquerading, cloud service abuse) to carry out a fully covert operation from initial implantation to data exfiltration.
The Blue Report 2025: See What 160 Million Attacks Reveal About Security Effectiveness
Russian APT28 linked to NotDoor malware in Microsoft Outlook backdoor. Malware exfiltrates sensitive data from NATO member companies. NotDoor uses obfuscated VBA macro for Outlook, utilizing Application events. Four commands supported: cmd, cmdno, dwn, and upl for executing commands and files. Malware deployed via DLL side-loading using Microsoft's OneDrive executable. Abuse of Outlook as stealthy communication channel, data exfiltration, and malware delivery. Use of Microsoft Dev Tunnels for added stealth and rapid infrastructure rotation.
Russian APT28 has been linked to a new Microsoft Outlook backdoor called NotDoor, which is being used to exfiltrate sensitive data from companies in NATO member countries. The malware, also known as a VBA macro for Outlook, was discovered by S2 Grupo's LAB52 threat intelligence team, who reported that it monitors incoming emails for a specific trigger word and enables an attacker to exfiltrate data, upload files, and execute commands on the victim's computer.
The NotDoor malware gets its name from the use of the word "Nothing" within the source code. It is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives.
The malware supports four different commands - cmd, to execute commands and return the standard output as an email attachment; cmdno, to execute commands; dwn, to exfiltrate files from the victim's computer by sending them as email attachments; and upl, to drop files to the victim's computer. The malware also creates a folder at the path %TEMP%\Temp if it does not exist, using it as a staging folder to store TXT files created during the course of the operation and exfiltrate them to a Proton Mail address.
The malware is deployed via Microsoft's OneDrive executable ("onedrive.exe") using a technique referred to as DLL side-loading. This leads to the execution of a malicious DLL ("SSPICLI.dll"), which then installs the VBA backdoor and disables macro security protections.
Specifically, it runs Base64-encoded PowerShell commands to perform a series of actions that involve beaconing to an attacker-controlled webhook[.]site, setting up persistence through Registry modifications, enabling macro execution, and turning off Outlook-related dialogue messages to evade detection.
The Blue Report 2025: See What 160 Million Attacks Reveal About Security Effectiveness
LAB52 stated that the activity highlights the abuse of Outlook as a stealthy communication, data exfiltration, and malware delivery channel. The exact initial access vector used to deliver the malware is currently not known, but analysis shows that it's deployed via Microsoft's OneDrive executable using a technique referred to as DLL side-loading.
The attacks are also notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms), a service that allows developers to securely expose local web services to the internet for testing and debugging purposes, as C2 domains for added stealth. This technique provides twofold advantages: first, the original C2 server IP is completely masked by Microsoft's relay nodes, blocking threat intelligence tracebacks based on IP reputation.
Second, by exploiting the service's ability to reset domain names on a minute-by-minute basis, the attackers can rapidly rotate infrastructure nodes, leveraging the trusted credentials and traffic scale of mainstream cloud services to maintain a nearly zero-exposure continuous threat operation.
The attacks are part of a larger trend of Russian state-sponsored hacking groups using Outlook as a backdoor. In recent years, APT28 has been linked to several high-profile attacks, including the 2018 NotPetya ransomware attack and the 2020 SolarWinds hack.
The disclosure comes as Beijing-based 360 Threat Intelligence Center detailed Gamaredon's (aka APT-C-53) evolving tradecraft, highlighting its use of Telegram-owned Telegraph as a dead-drop resolver to point to command-and-control (C2) infrastructure.
The attacks are also notable for the abuse of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK, which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional payloads.
This attack chain demonstrates a high level of specialized design, employing four layers of obfuscation (registry persistence, dynamic compilation, path masquerading, cloud service abuse) to carry out a fully covert operation from initial implantation to data exfiltration.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-APT28-Deploys-NotDoor-Outlook-Backdoor-to-Exfiltrate-Data-from-NATO-Companies-ehn.shtml
https://thehackernews.com/2025/09/russian-apt28-deploys-notdoor-outlook.html
https://cybersecuritynews.com/hackers-exploit-outlook-flaw/
Published: Thu Sep 4 14:50:22 2025 by llama3.2 3B Q4_K_M
