Russian Hackers Unleash NotDoor Backdoor: APT28 Targets NATO Nations Via Outlook Threats

| Editorial Team
9

Russian State Hackers Deploy Sophisticated Outlook Backdoor Against NATO Countries

A new Microsoft Outlook backdoor called "NotDoor" has been discovered targeting companies across NATO member countries, with security researchers attributing the attacks to the Russian state-sponsored hacking group APT28. The sophisticated malware poses significant threats to organizational security, detected in September 2025, enables attackers to monitor emails, exfiltrate data, and execute remote commands.

Advanced Persistence and Stealth Capabilities

The NotDoor backdoor demonstrates APT28's evolving tactics, utilizing Microsoft's legitimate OneDrive executable for deployment through DLL side-loading. This technique allows the malware to bypass security controls while maintaining a low profile on compromised systems. As organizations face increasingly sophisticated cybersecurity threats and attacks, understanding these tactics becomes crucial.

S2 Grupo's LAB52 threat intelligence team found that NotDoor employs a VBA macro specifically designed to monitor incoming emails for trigger words like "Daily Report." Once activated, the malware can:

  • Execute system commands and return outputs as email attachments
  • Exfiltrate sensitive files from victim computers
  • Upload malicious files to compromised systems
  • Establish persistent communication channels through legitimate Microsoft services

Technical Implementation and Impact

The malware's sophisticated architecture includes multiple layers of obfuscation and leverages legitimate Microsoft services to avoid detection. "This attack chain demonstrates a high level of specialized design, employing four layers of obfuscation to carry out a fully covert operation from initial implantation to data exfiltration," noted researchers at 360 Threat Intelligence Center.

Kroll's threat intelligence team, tracking the campaign under the name KTA007, emphasized the malware's effectiveness in living-off-the-land techniques. "The campaign is a good example of using common business tools and methods of communication for command and control," explained researchers Marc Messer and Dave Truman. Small and medium-sized businesses should be particularly vigilant, as they often lack robust security measures. Implementing comprehensive cybersecurity measures for small businesses is essential for protection against such threats.

For more detailed technical analysis of the NotDoor backdoor, visit the Microsoft Security Blog.

The discovery of NotDoor highlights the ongoing sophistication of state-sponsored cyber operations and the increasing use of legitimate services for malicious purposes. Organizations, particularly those in NATO countries, should remain vigilant and implement robust security measures to protect against such advanced persistent threats.

Editorial Team
You might also like

Microsoft’s IndexNow Technology: Transforming AI Search and Ecommerce SEO for…

Why is 5G important, and what does it mean for IoT?

What is a Network DMZ & How does it protect my Business?

Unveiling File Carving: Data Recovery Insights

LinkedIn’s European Growth: Addressing Content Moderation and User Safety…

Dropshipping vs Wholesale: Which is the Better Option for your Business