NotDoor Malware Targets Microsoft Outlook for Covert Data Exfiltration

In September 2025, LAB52 exposed a new and stealthy cyber-espionage tool named NotDoor, used by Russian state-sponsored actor to compromise multiple companies across NATO countries. This malware operates as a malicious VBA macro embedded in Microsoft Outlook, scanning incoming emails for specific trigger phrases. Upon activation, it enables command execution, file exfiltration, and email theft from compromised systems.

Severity Level: High

Threat Actor

• Name: APT28 (a.k.a. Fancy Bear, Sofacy)
• Attribution: Russian Military Intelligence (GRU)
• Motivation: Espionage and strategic intelligence collection, typically against NATO nations and political institutions.

Infection Chain

1. Initial Access: Not known – likely involves social engineering, phishing, or malicious download that delivers the onedrive.exe and SSPICLI.dll to the target
2. Execution via DLL Side-Loading: The attacker exploits the legitimate vulnerable Microsoft OneDrive executable (onedrive.exe) to load a malicious DLL (SSPICLI.dll). This is a common stealth technique to evade security detection.
3. Payload Installation and Persistence
   • The malicious DLL installs a VBA macro payload by copying testtemp.ini to Outlook’s macro storage location at: %APPDATA%\Microsoft\Outlook\VbaProject.OTM. This file contains the backdoor macro code (NotDoor) that is later triggered through incoming emails.
   • The attacker edits Windows registry keys associated with Microsoft Outlook (Software\Microsoft\Office\16.0\Outlook) to establish persistence, ensuring the backdoor macro is executed every time Outlook starts, without alerting the user through warning messages or popups.

Malware: NotDoor

• Type: Outlook VBA Macro Backdoor
• Trigger via Email: Activated by specific strings in incoming emails (e.g., “Daily Report”)
• Capabilities:
  • Data Exfiltration: Send data via email to attacker-controlled address (a.matti444@proton[.]me)
  • Command Execution: Executes PowerShell and Windows commands via email payload
  • File Upload/Download: Uploading/downloading files from victim machines
  • Evasion: Uses custom string encoding and disables macro security dialogs

Recommendations

1. Block unsigned or unapproved DLLs from loading into signed binaries using AppLocker or Microsoft Defender Application Control.
2. Ensure Microsoft Office is up to date, especially Outlook and OneDrive components.
3. Monitor for phishing emails with unusual attachments (e.g., .ini, .dll) or suspicious trigger keywords.
4. Set up alerts for modification of the registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot
   Enabling this key is not a standard operation for end users and may indicate malicious intent to auto-load VBA macros on Outlook startup.
5. Block traffic to ProtonMail from corporate endpoints or apply DLP monitoring.
6. Hunt for Indicators:
   1. Suspicious File Copy (Macro Injection into Outlook)
      Look for process execution of PowerShell or cmd.exe commands copying testtemp.ini into Outlook’s macro storage location:
      $a=$env:APPDATA;copy c:\programdata\testtemp.ini “$a\Microsoft\Outlook\VbaProject.OTM”
   2. Search for the presence or execution of the following files:
      SSPICLI.dll (malicious DLL used in side-loading)
      testtemp.ini (macro payload dropped by loader)
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/32d407f8855f4ad31026f782238af7bb0dcb0839db76e753468ab396132baefc/iocs

Source:

• https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.