Russian cyberespionage group APT28 targets NATO member firms with Outlook “NotDoor” backdoor

The Russian state-sponsored hacking group known as APT28 has been linked to a new Microsoft Outlook backdoor called NotDoor, which has been used in attacks against various companies across NATO member countries. NotDoor functions as a Visual Basic for Applications (VBA) macro designed to monitor incoming emails for specific trigger words. When such an email is detected, it allows attackers to exfiltrate data, upload files, and execute commands on the victim’s computer. The malware derives its name from the inclusion of the word “Nothing” in its source code, highlighting the exploitation of Outlook as a covert channel for communication, data exfiltration, and malware delivery.

The precise method of initial access for deploying NotDoor remains unclear, but analysis indicates it is delivered via Microsoft’s OneDrive executable using a technique known as DLL side-loading. This process executes a malicious DLL, referred to as “SSPICLI.dll,” which installs the VBA backdoor and disables macro security settings. NotDoor is designed to run its payload whenever Outlook is started or a new email arrives, creating a temporary folder for staging files and exfiltrating them to a Proton Mail address. The malware can execute various commands, including file exfiltration and command execution, while employing custom encryption to conceal its activities. The recent disclosures also coincide with reports from the Beijing-based 360 Threat Intelligence Center regarding the evolving tactics of another group, Gamaredon, which has been using Telegram-owned Telegraph for command-and-control infrastructure.