CinchOps Alert: Russian APT28 Deploys Sophisticated NotDoor Backdoor Through Microsoft Outlook

TL;DR: Russian state-sponsored hackers from APT28 have developed NotDoor, a VBA macro backdoor that weaponizes Microsoft Outlook to monitor emails for trigger words, steal data, and execute commands while evading detection through obfuscated code and registry modifications.

The cybersecurity community is facing a new and sophisticated threat as Russian intelligence operatives have found a way to turn one of the world’s most trusted business applications into a weapon. Microsoft Outlook, used by millions of professionals daily for email communication, has become the latest target for a highly advanced backdoor attack. This isn’t just another malware campaign – it represents a fundamental shift in how nation-state attackers are approaching corporate infiltration by exploiting the very tools businesses rely on most.

What makes this threat particularly insidious is its use of legitimate Outlook functionality to hide in plain sight. Rather than attempting to bypass security systems, the attackers have embedded their malicious code directly into Outlook’s macro capabilities, making detection extremely challenging for traditional security tools. The malware operates entirely within the normal email workflow, using incoming messages as command and control channels while maintaining persistent access to victim systems.

 

The NotDoor Threat Explained

NotDoor is a sophisticated Visual Basic for Applications (VBA) backdoor specifically designed to weaponize Microsoft Outlook as a covert communication and data exfiltration channel. Security researchers at LAB52, the threat intelligence division of Spanish cybersecurity firm S2 Grupo, first identified this malware and attributed it to APT28, the notorious Russian state-sponsored threat group also known as Fancy Bear, Fighting Ursa, Forest Blizzard, Pawn Storm, Strontium, Sednit, Sofacy, and Tsar Team.

The malware gets its name from the use of the word “Nothing” within its source code, a detail that helped researchers identify and analyze the threat. NotDoor operates as an obfuscated VBA macro for Outlook that monitors incoming emails for specific trigger words or phrases. When an email containing the designated trigger string is received, the malware springs into action, enabling attackers to steal data, upload files, and execute arbitrary commands on the victim’s computer.

Key technical characteristics of NotDoor include:

• Email-based command and control through trigger words like “Daily Report” that activate malicious functions when detected in incoming messages
• Advanced obfuscation techniques including randomized variable names and custom string encoding that appends junk characters to Base64 data to mimic encryption
• DLL side-loading deployment via Microsoft’s legitimate signed OneDrive.exe binary to load the malicious SSPICLI.dll and bypass security protections
• Registry manipulation to disable macro security warnings, enable macro execution, and suppress Outlook dialogue messages for stealth operation
• Persistent access mechanisms using Application_MAPILogonComplete and Application_NewMailEx events to execute payload code whenever Outlook starts or new emails arrive
• Covert file exfiltration to attacker-controlled email addresses at a.matti444@proton.me with automatic deletion of evidence after transmission
• Multi-command functionality supporting file theft (dwn), command execution with output (cmd), silent command execution (cmdno), and file upload capabilities (upl)

 Severity Assessment: High-Risk Nation-State Attack

NotDoor represents a critical severity threat due to its sophisticated design, nation-state backing, and ability to evade traditional detection methods. The malware demonstrates several characteristics that elevate its risk profile significantly above typical commercial malware or cybercriminal tools.

The threat severity is amplified by several factors:

• Nation-state sophistication with APT28’s extensive resources, technical expertise, and persistent targeting of high-value organizations in NATO member countries
• Legitimate application abuse that bypasses many security controls by operating within trusted Microsoft Outlook processes rather than deploying standalone malicious executables
• Long-term strategic targeting focusing on government agencies, defense contractors, and critical infrastructure organizations across multiple sectors
• Advanced evasion capabilities including the automatic deletion of trigger emails and exfiltrated files to minimize forensic evidence
• Persistent access maintenance through registry modifications and event-driven triggers that ensure the backdoor remains active across system reboots and application restarts

The malware’s ability to blend with normal email traffic makes it extremely difficult for network monitoring tools to detect command and control communications. Additionally, the use of legitimate Microsoft binaries for deployment and the abuse of built-in VBA functionality means that many endpoint protection solutions may not flag the activity as malicious.

 Exploitation Methods and Techniques

APT28 employs several sophisticated techniques to deploy and operate NotDoor while maintaining operational security:

• Initial deployment through DLL side-loading using Microsoft’s signed OneDrive.exe binary, which loads the malicious SSPICLI.dll to disable macro security protections and install the VBA backdoor
• Base64-encoded PowerShell execution for beaconing to attacker-controlled webhook.site infrastructure, establishing persistence through Registry modifications, and enabling macro execution
• Stealthy communication channels using legitimate email traffic for command delivery and data exfiltration, with encrypted file contents sent as email attachments to avoid network detection
• Evidence destruction protocols including automatic deletion of trigger emails, temporary files, and exfiltrated data from victim systems after successful transmission
• Dynamic trigger configuration allowing attackers to use multiple trigger strings beyond “Daily Report” and modify activation criteria for different targets or operational phases

The malware creates a staging folder at %TEMP%\Temp to temporarily store files during operations, using predefined naming conventions with common business-related names like “report,” “invoice,” “document,” and “summary” combined with typical extensions such as .pdf, .docx, .xlsx, and .jpg to blend with normal workplace data.

 The Threat Actors: APT28 Russian Intelligence

APT28 is one of the most prolific and dangerous nation-state threat groups in the cybersecurity environment, with direct ties to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. The group has been active since at least 2014 and has conducted numerous high-profile cyberattacks against Western governments, military organizations, and critical infrastructure.

Notable APT28 operations include:

• 2016 US Presidential Election interference through the compromise of Hillary Clinton’s presidential campaign, the Democratic National Committee (DNC), and the Democratic Congressional Campaign Committee (DCCC)
• World Anti-Doping Agency (WADA) breach as part of broader efforts to undermine international sports organizations and anti-doping efforts
• US nuclear facility infiltration and attacks against the Organization for the Prohibition of Chemical Weapons (OPCW) and Swiss chemical laboratories
• Ongoing targeting of NATO member countries across government, defense, and critical infrastructure sectors with particular focus on intelligence gathering and strategic reconnaissance

The development of NotDoor demonstrates APT28’s continued evolution and adaptability in developing new tools to bypass established defense mechanisms. The group has recently been linked to other advanced malware including LameHug, which represents one of the first malware samples leveraging large language models for enhanced social engineering and evasion capabilities.

 Organizations at Risk

The NotDoor campaign primarily targets organizations in NATO member countries across multiple critical sectors:

• Government agencies and military organizations handling classified information, defense contracts, and national security matters
• Defense contractors and aerospace companies with access to sensitive technology, weapons systems, and strategic capabilities
• Critical infrastructure operators in energy, telecommunications, transportation, and healthcare sectors that could be disrupted during geopolitical conflicts
• Financial institutions and multinational corporations with valuable intellectual property, financial data, and strategic business information
• Research institutions and universities conducting advanced research in technology, defense applications, or geopolitically sensitive areas

Houston businesses face particular risk due to the city’s significant presence in energy, aerospace, and defense industries. Organizations with extensive use of Microsoft Outlook in their daily operations – which includes virtually all modern businesses – are potential targets for this type of attack. Small and medium-sized businesses that may lack advanced cybersecurity monitoring capabilities could be especially vulnerable to prolonged compromise.

The targeting appears to focus on organizations that process sensitive emails, handle classified information, or maintain relationships with government and defense entities. However, APT28 has also been known to compromise smaller organizations as stepping stones to larger targets or to establish persistent infrastructure within target networks.

 Remediation and Protection Strategies

Organizations can implement several defensive measures to protect against NotDoor and similar Outlook-based threats:

• Disable VBA macros by default in all Microsoft Office applications, particularly Outlook, and implement strict approval processes for any business-critical macro usage
• Deploy advanced email security solutions that can analyze VBA content, detect obfuscated macros, and identify suspicious email-based command and control patterns
• Monitor for DLL side-loading indicators including OneDrive.exe spawning PowerShell processes with encoded commands or unusual child process activity
• Establish network monitoring for DNS queries to webhook.site, unusual outbound email traffic patterns, and connections to known APT28 infrastructure
• Implement endpoint detection and response (EDR) solutions capable of detecting registry modifications related to Office security settings and unauthorized macro execution
• Conduct regular security awareness training focusing on email-based threats, social engineering techniques, and the importance of reporting suspicious email activity
• Maintain updated threat intelligence feeds to identify new APT28 indicators of compromise and emerging tactics, techniques, and procedures

Organizations should also consider implementing network segmentation to limit the potential impact of compromised systems and establish incident response procedures specifically for nation-state attacks that may require coordination with law enforcement and intelligence agencies.

 How CinchOps Can Help

As sophisticated nation-state threats like APT28’s NotDoor backdoor continue to evolve, Houston businesses need comprehensive cybersecurity protection that goes beyond traditional perimeter defenses. CinchOps understands that modern cyber threats require a multi-layered approach combining advanced technology, expert monitoring, and proactive threat hunting to protect against state-sponsored attacks.

CinchOps provides enterprise-grade cybersecurity solutions specifically designed for small business IT support and managed IT services in the Houston area:

• Advanced email security monitoring that analyzes VBA macros, detects obfuscated code, and identifies suspicious email-based command and control communications like those used by NotDoor
• Endpoint detection and response (EDR) deployment with behavioral analysis capabilities to identify DLL side-loading techniques, unauthorized registry modifications, and abnormal Office application behavior
• 24/7 security operations center (SOC) monitoring – CinchOps watches for APT28 indicators of compromise and other nation-state threat actor activities
• Microsoft Office security hardening including macro disabling, attack surface reduction rule implementation, and application control policies to prevent Outlook-based backdoors
• Network security assessments and monitoring to detect unusual DNS queries, suspicious outbound traffic patterns, and potential command and control communications
• Comprehensive security health scans of your external network infrastructure to identify vulnerabilities that nation-state actors like APT28 could exploit for initial access
• Incident response planning and coordination with law enforcement and intelligence agencies when dealing with suspected nation-state attacks against your organization
• Cybersecurity awareness training for your Houston workforce focusing on advanced persistent threat techniques, email-based attacks, and social engineering methods used by state-sponsored groups
• Threat intelligence integration that keeps your defenses updated with the latest APT28 tactics, techniques, procedures, and indicators of compromise

Don’t let your organization become the next victim of state-sponsored cyber espionage. Contact CinchOps today for a comprehensive security assessment and learn how our managed IT support near you can protect your business from advanced persistent threats targeting the Houston business community.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: CinchOps’ Guide to Houston Data Protection: 5 Scenarios Every Business Should Know
For Additional Information on this topic: Russian APT28 Expands Arsenal with ‘NotDoor’ Outlook Backdoor

FREE CYBERSECURITY ASSESSMENT