The notorious Russia-linked APT28 threat group, also known as “FancyBear,” has been caught deploying a Microsoft Outlook backdoor which allows them to steal data, upload files, and execute commands.
Security researchers at Lab52 and Kroll uncovered this campaign, which uses a VBA macro for Outlook to monitor incoming emails for a specific trigger word. When this trigger is detected the threat actor is able to take control of the victim’s computer.
“The malware has been dubbed NotDoor by S2 Grupo’s Lab52 team and GonePostal by Kroll researchers, but both names refer to the same Outlook VBA backdoor used by APT28 in this campaign.”
APT28 is a well-known threat group linked to Russia’s state intelligence unit. The group has been active since at least 2004 and has been linked to email breaches in the past.
Most famously, they were reportedly behind the compromise of Hillary Clinton’s email server in the middle of the Presidential election campaign in 2016.
They are known for blending targeted malware and social engineering capabilities to compromise high value and well-known targets, including Western governments and Ukraine.
Researchers at Lab52 say that this particular campaign using Outlook as a backdoor has already been used to target “multiple companies from various sectors in NATO member countries.”
“While Outlook based persistence is not new and has been observed before… GONEPOSTAL is not a commonly seen tactic; and many may not have alerts tuned,” threat researchers at Kroll said.
How NotDoor/GonePostal Works
While the initial attack vector is currently unknown, analysis shows the malware is deployed through DLL side-loading.
The attackers leverage Microsoft’s onedrive.exe to load a malicious SSPICLI.dll, which then creates artifacts such as C:\ProgramData\testtemp.ini.
Once loaded, malicious DLL installs the VBA backdoor and disables multiple macro security protocols, which hides the malware from detection.
The macro then activates every time a new email arrives into Outlook. Emails are scanned for a specific trigger word, which then tells the macro to start executing attacker instructions.
Lab52 detected four specific commands being used, all leveraging Outlook:
- cmd – execute system commands and return results via email attachment
- cmdno – execute commands without output
- dwn – exfiltrate files as email attachments
- upl – deliver files directly onto the victim’s machine
Stolen data is stored in a temporary folder and then sent to an attacker-controlled ProtonMail address, using custom encoding to disguise its contents.
To avoid detection, NotDoor/GonePostal disables Outlook security prompts, weakens macro protections, and uses registry modifications to ensure persistence across reboots.
Why This Matters
For security defenders, this campaign highlights a worrying direction of APT28’s tactics.
The NotDoor/GonePostal malware is hard to detect and uses Outlook as a channel for stealing corporate data.
Unlike traditional malware that relies on external servers, NotDoor/GonePostal hides behind ordinary email traffic, making it far more difficult to spot.
Kroll’s research also suggests this attack is still in development. They found additional code samples not yet in full use, perhaps suggesting the attackers are planning to add new features and methods to this backdoor.
“The campaign is a good example of living-off-the-land, using common business tools and methods of communication for command and control,” said Kroll researchers.
“Interception of email communications and a platform for tool ingress over legitimate means enables a stealthy manner of access which could be difficult to detect.”
For a detailed breakdown of the methodology you can read the fell report from Lab52 and Kroll.
How To Stay Protected
There are several indicators of compromise that can reveal if you have been targeted.
Indicators include unusual DLL files such as SSPICLI.dll or artifacts like testtemp.ini, both used in the attack chain.
Administrators should also monitor for any changes to Outlook registry keys, particularly LoadMacroProviderOnBoot and Outlook\Security\Level, which enable malicious macros to run at startup.
Given that APT28 has targeted companies in NATO member countries, organizations operating in these regions may benefit from auditing their Outlook environments and strengthening defenses against this attack method.
