Cybersecurity researchers have discovered NotDoor, a new cyber-espionage tool linked to the Russian state-sponsored hacking group APT28, also known as Fancy Bear, that targets Microsoft Outlook users across NATO countries.
Identified by LAB52, the threat intelligence arm of Spanish cybersecurity firm S2 Grupo, the malware turns Outlook into a covert spy tool, allowing attackers to steal data, upload files, and execute commands on infected machines — all by exploiting Outlook’s built-in automation features.
How The Attack Works
Researchers explained that the malware was named NotDoor because its code repeatedly uses the term “nothing.” It is a stealthy malware written in Visual Basic for Applications (VBA), the scripting language used in Microsoft Office.
Once installed, it lies dormant as a malicious macro and activates when emails with a specific trigger phrase, such as “Daily Report,” arrive. When that email comes, the malware springs to life — silently giving hackers control of the victim’s system.
The malware abuses Outlook’s event-driven VBA triggers, such as Application_MAPILogonComplete (on start-up of Outlook) and Application_NewMailEx (on arrival of a new email), to activate its payload. It also deletes the triggering emails that set it off, leaving almost no trace of how the compromise began.
“This [case] highlights the ongoing evolution of APT28, demonstrating how it continually generates new artefacts capable of bypassing established defense mechanisms,” wrote the LAB52 researchers in a blog post.
A Sophisticated Stealth Strategy
According to researchers, NotDoor makes use of a variety of advanced tricks to evade detection:
- Obfuscated Code: The code is scrambled and encoded, making it difficult for security tools to analyze.
- DLL Side-Loading: It hijacks a legitimate Microsoft file, OneDrive.exe, which loads a malicious DLL (SSPICLI.dll), disguising itself as a trusted process.
- Registry Modifications: It tweaks Outlook’s settings to disable security warnings about macros and suppresses dialog prompts, allowing the malware to run without notifying the user.
Once active, the malware stores stolen temporary files in a hidden directory, and then secretly emails them to an attacker-controlled email (a.matti444@proton[.]me) before erasing all traces. The malware confirms successful execution by sending DNS and HTTP callbacks to webhook.site.
Who’s Behind It
APT28 is one of the world’s most notorious hacking groups, widely believed to be part of Russia’s military intelligence agency (GRU). It has been at the center of some of the past decade’s most headline-grabbing hacks, including the 2016 breach of the Democratic National Committee (DNC) and intrusions into the World Anti-Doping Agency (WADA).
NotDoor shows “the ongoing evolution of APT28, demonstrating how it continuously generates new artefacts capable of bypassing established defense mechanisms,” the LAB52 researchers added.
How To Stay Protected
To reduce the risk of infection, experts recommend that organizations take the following urgent steps:
- Disable macros by default across all systems
- Keep a close eye on Outlook for any unusual behaviour, especially registry changes
- Block suspicious DLL files from being loaded by trusted programs
- Ensure Microsoft Office and Windows are always up-to-date
- Educate employees to recognize suspicious emails that could serve as triggers
With NotDoor actively targeting companies across multiple sectors in NATO member states, the discovery underscores how even trusted workplace tools like Outlook can be weaponized in ways few would expect.
