Researchers at Spanish cybersecurity provider S2 Grupo have observed a new Outlook backdoor that enables threat actors to exfiltrate data, upload files and execute commands on a victim’s computer.
S2 Grupo’s threat intelligence lab, LAB52, shared its findings in a report published on September 3.
The threat analysts dubbed this backdoor ‘NotDoor’ due to the use of the word ‘Nothing’ within the code. They have attributed it to the Russia-backed cyber threat group APT28.
NotDoor: Sophisticated VBA-Based Outlook Malware
The NotDoor backdoor is a sophisticated Visual Basic for Applications- (VBA) based malware targeting Microsoft Outlook, designed to monitor incoming emails for specific trigger words and execute malicious commands.
VBA is Microsoft’s embedded scripting language used to automate tasks in Office applications, such as Excel, Word and Outlook. While legitimate users employ VBA for productivity, threat actors exploit it to embed malicious code in macros, which execute when documents or emails are opened.
NotDoor abuses Outlook’s event-driven VBA triggers, such as Application_MAPILogonComplete (on startup) and Application_NewMailEx (on new emails), to activate its payload.
The malware’s code is obfuscated, with randomized variable names and a custom string encoding technique that appends junk characters to Base64 data, mimicking encryption to hinder analysis.
Disguised within legitimate Outlook macros, NotDoor enables attackers to exfiltrate data, upload files and run arbitrary commands on compromised systems.
Notably, the malware leverages DLL side-loading via a signed Microsoft binary (OneDrive.exe), which loads a malicious DLL (SSPICLI.dll) to deploy the backdoor while evading detection.
Persistence is achieved by modifying Outlook’s registry settings to disable security warnings, enable macros on startup and suppress dialog prompts, ensuring silent operation.
The backdoor establishes covert communication by exfiltrating victim data to attacker-controlled email (a.matti444@proton[.]me) and verifying execution via DNS and HTTP callbacks to webhook.site.
Upon infection, it creates a hidden directory (%TEMP%Temp) to store artifacts, which are automatically emailed to the attacker and deleted.
Triggered by emails containing a predefined string (e.g. "Daily Report"), NotDoor parses encrypted commands embedded in the message body, supporting multiple instructions per email, such as file theft, command execution or additional payload downloads.
The malware’s modular design allows attackers to dynamically update triggers and commands, making detection and mitigation challenging.
By abusing Outlook’s native VBA capabilities, the malware remains persistent and stealthy, making it a potent tool for espionage or targeted attacks.
The LAB52 researchers recommended that organizations disable macros by default, monitor unusual Outlook activity and inspect email-based triggers to defend against such threats.
APT28: An Evolving Threat Group
APT28 is a cyber threat group notorious for its disruptive attacks. It is also known under many names, including Fancy Bear, Fighting Ursa, Forest Blizzard, Pawn Storm, Strontium, Sednit, Sofacy and Tsar Team.
Active since at least 2014, APT28 has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.
In 2016, APT28 reportedly compromised the Hillary Clinton presidential campaign, the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC), as part of a campaign to interfere in the US presidential election.
Two years later, in 2018, the US Department of Justice (DoJ) indicted five officers from GRU Unit 26165 for orchestrating cyber intrusions between 2014 and 2018.
Their targets included the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW) and the Spiez Swiss Chemicals Laboratory, among other entities.
Some of these operations were carried out with support from GRU Unit 74455, also known as the Sandworm Team.
According to the LAB52 researchers, NotDoor illustrates “the ongoing evolution of APT28, demonstrating how it continuously generates new artefacts capable of bypassing established defense mechanisms.”
More recently, APT28 was linked to a campaign delivering LameHug, one of the first malware leveraging large language models (LLMs).
Initially detected by the National Computer Emergency Response Team of Ukraine (CERT-UA) in July 2025, LameHug was described by MITRE researchers as a “primitive” testbed for future AI-powered attacks.
Read now: Researchers Discover First Reported AI-Powered Ransomware