LAB52, the threat intelligence team at Spanish cybersecurity firm S2 Grupo, has discovered a new Outlook backdoor, which it linked to the Russia-aligned threat actor known as APT28 or Fancy Bear. The backdoor, dubbed NotDoor because it embeds the word “Nothing” in its code, is a VBA macro that turns Outlook into a stealthy remote access and data-exfiltration channel.
According to LAB52, the intrusion chain abuses a legitimate, signed Microsoft OneDrive binary via DLL side-loading to drop and run a malicious DLL (identified as SSPICLI.dll) which installs the VBA backdoor. The actor places the payload on disk (LAB52 observed C:ProgramData esttemp.ini) and uses an encoded PowerShell loader to move that file into Outlook’s macro store so Outlook will execute it.
Once active, the VBA project hooks standard Outlook events (Application_MAPILogonComplete and Application_NewMailEx) so it runs whenever Outlook starts or a qualifying email arrives. The backdoor looks for a trigger string, parses commands encrypted with a custom encoding technique, deletes the triggering message, and can exfiltrate files and execute commands on the host. The malware also creates a temporary folder (%TEMP%Temp) for artifacts and will attempt to email collected files to an attacker-controlled address.
LAB52 notes the threat actor uses benign services as operational checks, (the loader performs DNS and HTTP callbacks) apparently to confirm successful execution. The researchers also said that the malware reduces user-facing macro warnings by changing Outlook registry settings and enables a registry subkey to ensure the VBA provider loads at boot, increasing persistence and evasion.
Detection was limited at the time of analysis, the team said. The project is obfuscated (randomized variable and function names) and uses a novel string-encoding method that intermixes random characters with Base64-encoded payloads to make casual decoding appear as junk. LAB52 warned that APT28 has used similar techniques in prior campaigns targeting companies across several NATO member countries.