NotDoor
NotDoor is an Outlook-focused backdoor implemented as a VBA macro for Microsoft Outlook and associated with APT28 (Fancy Bear/UAC-0001), a Russia-linked GRU threat actor. Reporting links it to espionage operations against government, military, diplomatic, maritime, transport, and other organizations in Ukraine, Eastern Europe, and NATO member states. It has also been referred to as GONEPOSTAL, and some reporting notes MiniDoor as a stripped-down variant of NotDoor.
High-confidence reporting describes NotDoor as designed for long-term email intelligence collection rather than interactive C2. It monitors incoming emails for a predefined trigger word or phrase and uses Outlook event handlers such as Application_MAPILogonComplete and Application_NewMailEx to execute at Outlook startup and on new mail. When triggered, it can exfiltrate data, upload files, and execute commands on the compromised host. Multiple sources state it automatically forwards emails and attachments from targeted mailboxes, including Inbox, Drafts, and Junk folders, to attacker-controlled addresses. Reported exfiltration addresses include chmilewskii@outlook[.]com, chmilewskii@proton[.]me, ahmeclaw2002@outlook[.]com, ahmeclaw@proton[.]me, and a.matti444@proton[.]me. Some reporting states it saves messages as .msg files before forwarding, marks processed emails with an "AlreadyForwarded" property, sets DeleteAfterSubmit=True, deletes triggering emails, and purges sent items to reduce evidence.
The malware weakens Outlook protections and establishes persistence by modifying registry keys under HKCU\Software\Microsoft\Office\16.0\Outlook, including setting Security\Level to 1 and LoadMacroProviderOnBoot to 1, and by suppressing Outlook dialog messages. It writes or installs a malicious VbaProject.OTM file in %APPDATA%\Microsoft\Outlook. One documented deployment chain uses DLL side-loading via legitimate Microsoft OneDrive.exe to load a malicious SSPICLI.dll, which installs the VBA project and disables macro security protections. That chain used Base64-encoded PowerShell commands to copy c:\programdata\testtemp.ini to %APPDATA%\Microsoft\Outlook\VbaProject.OTM and to verify execution through webhook.site DNS and HTTP callbacks. Reported sample hashes include SSPICLI.dll SHA-256 5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705 and testtemp.ini SHA-256 8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901.
In 2026 reporting, NotDoor appeared in multi-stage APT28 exploitation chains abusing Microsoft Office vulnerability CVE-2026-21509, delivered through spear-phishing documents using embedded OLE objects and WebDAV to fetch payloads without requiring macros for initial execution. Those campaigns targeted European and Ukrainian government and defense-related entities and in some cases paired NotDoor with other tooling including SimpleLoader, BeardShell, Covenant Grunt, and filen.io-based command-and-control infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The attackers weaponized a newly disclosed Microsoft Office 1-day (CVE-2026-21509) within 24 hours of its public revelation... CVE-2026-21509, a Microsoft Office security feature bypass vulnerability... allows embedded OLE objects to execute by leveraging the WebDAV protocol to fetch external payloads from attacker-controlled infrastructure.
CVE-2026-21513 zero-day: Exploited at least 11 days before the February 10, 2026 patch release... By combining zero-day exploitation (CVE-2026-21513) with rapid weaponization of newly disclosed vulnerabilities (CVE-2026-21509)... Immediate mitigations Patching: Prioritize the remediation of both CVE-2026-21509 and CVE-2026-21513 across the entire fleet immediately.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“NotDoor” Outlook backdoor variant Parallel to the steganography loader chain, certain campaign targets received the NotDoor - a two-stage Outlook-focused backdoor designed for long-term email intelligence collection rather than interactive C2.
The exploitation delivers a multi-stage infection chain culminating in the NotDoor Outlook backdoor and Covenant Grunt implants.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique"APT28 (aka Fancy Bear) managed to reverse-engineer Microsoft's urgent Office patch for CVE-2026-21509 and had working exploits hitting targets within 48 hours of release."
Initial Access
2 techniquesIn these attacks, phishing emails with geopolitically-charged narratives related to transnational weapons smuggling, military training programs, and meteorological emergency bulletins contain weaponized documents that exploit CVE-2026-21509...
APT28's attack begins with spear-phishing emails containing weaponized documents that exploit CVE-2026-21509... All emails carried weaponized RTF/DOC attachments.
Execution
4 techniquesupon detection, allows attackers to exfiltrate data, upload files, and execute commands on the compromised system
The campaign relies on a layered infection chain and new tooling, starting with a lightweight loader and progressing to an Outlook VBA backdoor called NotDoor... The loader either... drops VbaProject.OTM for NotDoor payload.
CVE-2026-21509, a remote code execution vulnerability in Microsoft Office affecting RTF and OLE document processing... weaponized the flaw in malicious RTF files targeting Ukrainian government agencies and European defense, transportation, and diplomatic entities.
When victims open these malicious documents, the exploit triggers automatically without requiring macros or user interaction.
Persistence
2 techniquesThe dropper then writes the VbaProject.OTM directly to %APPDATA%\Microsoft\Outlook... establishes LoadMacroProviderOnBoot as 1.
Privilege Escalation
2 techniquesThe entire chain is designed for resilience and evasion, utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts
Stealth
3 techniquesThe entire chain is designed for resilience and evasion, utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts
The entire chain is designed for resilience and evasion, utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts
Discovery
1 techniqueallows attackers to exfiltrate data, upload files, and execute commands on the compromised system
Collection
2 techniquesThe VBA macro itself implements email surveillance through dual automatic triggers... processing up to 10 messages per folder per execution.
"NotDoor was monitoring email folders and automatically forwarding sensitive messages"
Command and Control
3 techniquesCloud storage services (notably filen.io) serve as C2 infrastructure, blending malicious traffic with normal enterprise activity.
"they used legitimate cloud services for command and control to stay under the radar"
The vulnerability allows embedded OLE objects to execute by leveraging the WebDAV protocol to fetch external payloads from attacker-controlled infrastructure... the initial exploitation downloads a malicious LNK shortcut and first-stage loader DLL...
Exfiltration
2 techniquesupon detection, allows attackers to exfiltrate data, upload files, and execute commands on the compromised system
creates a new forwarding message with the original attached, and transmits it to two adversary-controlled addresses via standard SMTP.
IOCs tracked for this family
35 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An Outlook backdoor used as the final payload in a multi-stage spear-phishing exploitation chain tied to CVE-2026-21509 campaigns.
An Outlook VBA backdoor for persistent email surveillance and exfiltration. It disables Outlook macro security, installs VbaProject.OTM, triggers on Outlook login and new mail, and forwards collected messages to attacker-controlled email accounts.
Referenced as a prior malware ecosystem or lineage linked to the current campaign, associated with long-term espionage and related technically to PRISMEX activity.
Microsoft Outlook VBA macro backdoor that monitors incoming emails for a trigger word and executes actions when triggered (per excerpt).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.