Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search
Red Hot Cyber Academy

NotDoor Arrives: APT28’s Microsoft Outlook Backdoor

Redazione RHC : 4 September 2025 10:03

An advanced backdoor system associated with the notorious Russian cyberespionage group APT28 allows attackers to download data, upload files, and issue commands to infected PCs. This recently discovered, next-generation backdoor system focuses on Microsoft Outlook, allowing attackers to steal information and control the affected person’s computer.

The backdoor is designed to monitor the victim’s incoming emails for specific keywords, such as “Daily Report.” When an email containing the keyword is detected, the malware activates, allowing attackers to execute malicious commands. The name “NotDoor” was coined by researchers due to the use of the word “Nothing” in the malware’s code.

The malware cleverly exploits legitimate Outlook functionality to remain hidden and ensure its persistence. According to S2 Grupo, it uses event-based VBA triggers, such as Application_MAPILogonComplete, which fires when the Outlook application starts, and Application_NewMailEx, which fires when new emails arrive. The malware’s main features can be listed as follows:

  • Code obfuscation: The malware code is intentionally encoded with random variable names and a custom encoding method to make it difficult to analyze.
  • DLL sideloading: It uses a legitimate and signed Microsoft binary, OneDrive.exe, to load a malicious DLL file. This technique helps the malware appear as a trusted process.
  • Registry Modification: To ensure persistence, NotDoor modifies Outlook registry settings. It disables macro-related security warnings and suppresses other prompts, allowing it to run silently without alerting the user.

The malware has been attributed to the Russian state-sponsored cyberthreat group APT28, also known as Fancy Bear. The findings were published by LAB52, the threat intelligence unit of the Spanish cybersecurity firm S2 Grupo.

NotDoor is stealth malware written in Visual Basic for Applications (VBA), the scripting language used to automate tasks in Microsoft Office applications. To evade detection by security software, NotDoor employs several sophisticated techniques:

Once active, the backdoor creates a hidden directory to store temporary files, which are then exfiltrated to an attacker-controlled email address before being deleted. The malware confirms its successful execution by sending callbacks to a webhook site.

APT28 is a notorious criminal groupwith ties to the Central Intelligence Directorate (GRU) of the Russian General Staff. Active for over a decade, the group is responsible for numerous high-profile cyberattacks, including the breach of the Democratic National Committee (DNC) during the 2016 US presidential election and intrusions into the World Anti-Doping Agency (WADA).

The recent introduction of this tool demonstrates the group’s constant evolution and its ability to develop innovative strategies to evade contemporary defense systems. The NotDoor malware, as reported by S2 Grupo, has already been widely used to jeopardize the security of multiple companies across various economic sectors within NATO member states.

To defend against this threat, security experts recommendthat organizations disable macros by default on their systems, carefully monitor any unusual activity in Outlook, and examine email-based triggers that could be exploited by this malware.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli