Russian hacker group APT28, also known as Fancy Bear, enhances their toolkit with the addition of the 'NotDoor' Outlook backdoor.

In a recent report published by S2 Grupo's threat intelligence lab, LAB52, researchers have identified a new Outlook backdoor named 'NotDoor'. This malware has been attributed to the Russia-backed cyber threat group APT28, also known as Fancy Bear, Forest Blizzard, and several other aliases.

APT28 is notorious for disruptive attacks and has been involved in numerous high-profile cyber operations. One of their most notable activities was in 2016, when they were reportedly involved in compromising the Hillary Clinton presidential campaign, the Democratic National Committee (DNC), and the Democratic Congressional Campaign Committee (DCCC), as part of a campaign to interfere in the US presidential election.

NotDoor illustrates the ongoing evolution of APT28, demonstrating how they continuously generate new artefacts capable of bypassing established defense mechanisms. Upon infection, NotDoor creates a hidden directory to store artifacts, which are automatically emailed to the attacker and deleted. It establishes covert communication by exfiltrating victim data to attacker-controlled email addresses and verifying execution via DNS and HTTP callbacks.

The malware's code is obfuscated with randomized variable names and a custom string encoding technique, making it difficult to detect. NotDoor is triggered by emails containing a predefined string and supports multiple instructions per email, such as file theft, command execution, or additional payload downloads.

More recently, APT28 was linked to a campaign delivering LameHug, one of the first malware leveraging large language models (LLMs). LameHug, described by MITRE researchers as a "primitive" testbed for future AI-powered attacks, was initially detected by the National Computer Emergency Response Team of Ukraine (CERT-UA) in July 2025.

APT28 has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. In 2018, the US Department of Justice (DoJ) indicted five officers from GRU Unit 26165 for orchestrating cyber intrusions between 2014 and 2018.

Some of these operations were carried out with support from GRU Unit 74455, also known as the Sandworm Team. The APT28 cyberattack group last targeted companies in NATO countries before developing the NotDoor malware, which abuses Microsoft Outlook for data exfiltration and command execution.

The report about NotDoor was published by S2 Grupo's threat intelligence lab, LAB52, on September 3. NotDoor leverages DLL side-loading via a signed Microsoft binary to deploy the backdoor while evading detection. This discovery underscores the need for continuous vigilance and the development of advanced defense mechanisms to counteract the evolving threats posed by cyberattack groups like APT28.

Russian hacker group APT28, also known as Fancy Bear, enhances their toolkit with the addition of the 'NotDoor' Outlook backdoor.