Sep 04, 2025Ravie LakshmananCybersecurity / Malware
The Russian state-sponsored hacking group tracked as APT28 has been attributed to a brand new Microsoft Outlook backdoor known as NotDoor in assaults concentrating on a number of firms from totally different sectors in NATO member international locations.
NotDoor “is a VBA macro for Outlook designed to observe incoming emails for a selected set off phrase,” S2 Grupo’s LAB52 menace intelligence staff mentioned. “When such an e mail is detected, it permits an attacker to exfiltrate knowledge, add information, and execute instructions on the sufferer’s laptop.”
The artifact will get its identify from the usage of the phrase “Nothing” inside the supply code, the Spanish cybersecurity firm added. The exercise highlights the abuse of Outlook as a stealthy communication, knowledge exfiltration, and malware supply channel.
The precise preliminary entry vector used to ship the malware is presently not recognized, however evaluation exhibits that it is deployed by way of Microsoft’s OneDrive executable (“onedrive.exe”) utilizing a way known as DLL side-loading.
This results in the execution of a malicious DLL (“SSPICLI.dll”), which then installs the VBA backdoor and disables macro safety protections.
Particularly, it runs Base64-encoded PowerShell instructions to carry out a collection of actions that contain beaconing to an attacker-controlled webhook[.]web site, establishing persistence via Registry modifications, enabling macro execution, and turning off Outlook-related dialogue messages to evade detection.
NotDoor is designed as an obfuscated Visible Fundamental for Purposes (VBA) venture for Outlook that makes use of the Software.MAPILogonComplete and Software.NewMailEx occasions to run the payload each time Outlook is began or a brand new e mail arrives.
It then proceeds to create a folder on the path %TEMPpercentTemp if it doesn’t exist, utilizing it as a staging folder to retailer TXT information created in the course of the course of the operation and exfiltrate them to a Proton Mail handle. It additionally parses incoming messages for a set off string, resembling “Every day Report,” inflicting it to extract the embedded instructions to be executed.
The malware helps 4 totally different instructions –
cmd, to execute instructions and return the usual output as an e mail attachment
cmdno, to execute instructions
dwn, to exfiltrate information from the sufferer’s laptop by sending them as e mail attachments
upl, to drop information to the sufferer’s laptop
“Recordsdata exfiltrated by the malware are saved within the folder,” LAB52 mentioned. “The file contents are encoded utilizing the malware’s customized encryption, despatched by way of e mail, after which deleted from the system.”
The disclosure comes as Beijing-based 360 Risk Intelligence Heart detailed Gamaredon’s (aka APT-C-53) evolving tradecraft, highlighting its use of Telegram-owned Telegraph as a dead-drop resolver to level to command-and-control (C2) infrastructure.
The assaults are additionally notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms), a service that permits builders to securely expose native net companies to the web for testing and debugging functions, as C2 domains for added stealth.
“This system supplies twofold benefits: first, the unique C2 server IP is totally masked by Microsoft’s relay nodes, blocking menace intelligence tracebacks based mostly on IP popularity,” the cybersecurity firm mentioned.
“Second, by exploiting the service’s means to reset domains on a minute-by-minute foundation, the attackers can quickly rotate infrastructure nodes, leveraging the trusted credentials and visitors scale of mainstream cloud companies to keep up an almost zero-exposure steady menace operation.”
Assault chains entail the usage of bogus Cloudflare Employees domains to distribute a Visible Fundamental Script like PteroLNK, which may propagate the an infection to different machines by copying itself to linked USB drives, in addition to obtain extra
payloads.
“This assault chain demonstrates a excessive degree of specialised design, using 4 layers of obfuscation (registry persistence, dynamic compilation, path masquerading, cloud service abuse) to hold out a completely covert operation from preliminary implantation to knowledge exfiltration,” 360 Risk Intelligence Heart mentioned.
