Russian APT28 threat group targets Microsoft Outlook using ‘NotDoor’ malware

Russian APT28 threat group targets Microsoft Outlook using ‘NotDoor’ malware

Researchers at Lab52 (S2 Grupo) have uncovered a new backdoor malware, NotDoor, deployed by the Russian state-sponsored threat group APT28 (Fancy Bear).

🔎 Key Findings:

• Abuses Outlook macros → Monitors emails for special trigger strings, then executes attacker commands.
• Backdoor capabilities → Exfiltrates data, uploads malicious files, and maintains persistence.
• Stealth tactics → Delivered via DLL sideloading in Microsoft OneDrive.exe, disables macro warnings, and uses obfuscated code.
• C2 mechanism → Uses trigger-loaded emails and services like DNSHook for covert communication.

⚠️ Why It Matters

This campaign highlights APT28’s continued evolution and ability to bypass defenses by abusing trusted applications (Outlook, OneDrive). It also demonstrates how state actors are embedding malware into daily communication tools to remain undetected.

🛡️ Recommendations

• Restrict or disable Outlook macros where possible.
• Monitor DLL sideloading activity.
• Enhance email security and threat hunting to detect anomalous Outlook behavior.

At Alcaeus Services, we help organizations detect advanced persistent threats, improve resilience against state-backed actors, and secure collaboration platforms like Microsoft 365.