Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

APT28 NotDoor Outlook backdoor activity

Malware Activity
First reported
Last updated
Happening score
H score 28
2 unique sources, 2 articles

Summary

Hide ▲

The NotDoor backdoor is giving APT28 a covert way to abuse Microsoft Outlook for command execution and data exfiltration, expanding the threat group's reach on targeted systems. The malware uses a VBA macro that watches incoming email for a trigger word and then activates hidden actions on the victim computer. Delivery relies on signed OneDrive.exe abuse and SSPICLI.dll sideloading to weaken macro defenses. Once active, it can send trigger-loaded emails, upload files, and delete the message that enabled execution.

Related Happenings

GoGra Linux backdoor uses Microsoft Graph API and Outlook for covert command delivery

Malware Activity
First: 22.04.2026 13:00 Last: 22.04.2026 13:00 Sources 1

About this happening: The **GoGra** malware family now includes a **Linux backdoor variant** that uses **Microsoft Graph API** and an **Outlook inbox** for covert command delivery, making operator comm...

Open Happening

Fake Claude PlugX phishing campaign

Campaign
First: 13.04.2026 12:52 Last: 13.04.2026 12:52 Sources 1

About this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...

Latest development: 07.05.2026 13:02

A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.

Open Happening

BadPaw multi-stage backdoor deployment targeting Ukraine

Malware Activity
First: 04.03.2026 16:30 Last: 04.03.2026 16:30 Sources 1

About this happening: Researchers uncovered **BadPaw**, a multi-stage **malware** operation that uses **ukr[.]net**-hosted email lures and staged redirects to install a backdoor on **Ukrainian** target...

Open Happening

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

Open Happening

MiniDoor and PixyNetLoader malicious RTF delivery chain

Malware Activity
First: 03.02.2026 11:12 Last: 03.02.2026 11:12 Sources 1

About this happening: A **malicious RTF** delivery chain introduced **MiniDoor** and **PixyNetLoader**, enabling **email theft** or **Covenant Grunt** deployment on targeted hosts. MiniDoor stole mail...

Open Happening

Timeline

  1. 03.09.2025 23:49 2 articles · 8mo ago

    APT28 uses NotDoor to turn Microsoft Outlook into a covert backdoor

    Initial Disclosure

    Researchers from Lab52 describe NotDoor as a VBA macro for Microsoft Outlook that watches incoming emails for trigger strings and can parse message contents to execute commands, exfiltrate data, upload files, and delete the triggering email. The activity uses signed OneDrive.exe DLL sideloading with SSPICLI.dll, Base64-encoded PowerShell, and DNSHook to support covert execution inside targeted Windows systems.

    Show sources
    Open in new tab