Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actorExploits 2 CVEs

MiniDoor

MiniDoor is a malicious Microsoft Outlook-focused email stealer used in the APT28/Fancy Bear Operation Neusploit campaign. It is described as a lightweight, stripped-down variant of NotDoor/GONEPOSTAL and is implemented as an Outlook VBA project deployed by a 64-bit C++ dropper DLL after exploitation of CVE-2026-21509 via weaponized RTF documents. The campaign targeted users and organizations in Central and Eastern Europe, especially Ukraine, Slovakia, and Romania, with reporting also tying related activity to Ukrainian government, military, public sector, maritime, and transport targets.

The MiniDoor dropper decrypts an Outlook VBA project from its .rdata section using a rolling XOR key and writes it to %appdata%\Microsoft\Outlook\VbaProject.OTM. It modifies Outlook-related registry settings to reduce security and ensure execution, including setting HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level to 1 to enable all Outlook macros, disabling content download warnings, and configuring the macro provider to load on Outlook startup. A reported mutex used by the dropper is adjgfenkbe.

MiniDoor’s primary function is email theft and exfiltration from Microsoft Outlook. It monitors Outlook events including MAPILogonComplete and Application_NewMailEx, waits after logon, and harvests messages from mailbox folders reported as including Inbox, RSS Feeds, Junk, and Drafts. It saves stolen messages to %TEMP%\temp_email.msg, creates new emails with the stolen messages attached, and forwards them to hardcoded attacker-controlled addresses ahmeclaw2002@outlook.com and ahmeclaw@proton.me. It sets DeleteAfterSubmit to true so exfiltration emails do not remain in the Sent folder and marks messages with an AlreadyForwarded property to avoid duplicate forwarding.

MiniDoor has been consistently associated in the provided reporting with APT28/Fancy Bear/UAC-0001 and Operation Neusploit, where it was one of two payload paths alongside PixyNetLoader and a Covenant Grunt implant chain. High-confidence indicators directly mentioned for MiniDoor include the mutex adjgfenkbe, the Outlook VBA path %appdata%\Microsoft\Outlook\VbaProject.OTM, the temporary file %TEMP%\temp_email.msg, the registry path HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level, and the exfiltration email addresses ahmeclaw2002@outlook.com and ahmeclaw@proton.me.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2026-21509Microsoft Office Shell.Explorer.1 OLE Security Feature BypassExploited in the wild

ThreatLabz named this VBA-based malware MiniDoor, as it appears to be a minimal version of NotDoor reported by Lab52. Similar to NotDoor, MiniDoor collects emails from the infected machine, but does not support the email-based commands implemented in NotDoor. | Both variants begin with a specially crafted RTF file that weaponizes CVE-2026-21509 and, after successful exploitation, downloads a malicious dropper DLL from the threat actor’s server.

via zscaler threat labzzscaler.com
CVE-2026-21513MSHTML Framework Security Feature Bypass in Internet Explorer/MSHTMLExploited in the wild

CVE-2026-21513 zero-day: Exploited at least 11 days before the February 10, 2026 patch release... By combining zero-day exploitation (CVE-2026-21513) with rapid weaponization of newly disclosed vulnerabilities (CVE-2026-21509)... Immediate mitigations Patching: Prioritize the remediation of both CVE-2026-21509 and CVE-2026-21513 across the entire fleet immediately.

via trend micro researchtrendmicro.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT28

According to Zscaler ThreatLabz, the MiniDoor backdoor deployed in this campaign is a variant of NotDoor, demonstrating continuity in malware development.

via trend micro researchtrendmicro.com
MITRE ATT&CK

Techniques & procedures

18 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence1

In these attacks, phishing emails with geopolitically-charged narratives related to transnational weapons smuggling, military training programs, and meteorological emergency bulletins contain weaponized documents that exploit CVE-2026-21509...

T1566.001Spearphishing AttachmentEvidence4

The vulnerability in question is CVE-2026-21509... allow an unauthorized attacker to send a specially crafted Office file and trigger it.

Execution

3 techniques
T1059.005Visual BasicEvidence3

The first dropper variant DLL is responsible for deploying a malicious Microsoft Outlook Visual Basic for Applications (VBA) project named MiniDoor.

T1203Exploitation for Client ExecutionEvidence7

Both variants begin with a specially crafted RTF file that weaponizes CVE-2026-21509 and, after successful exploitation, downloads a malicious dropper DLL from the threat actor’s server.

T1204User ExecutionEvidence1

"increasing the likelihood victims trigger the exploit"

Persistence

3 techniques
T1112Modify RegistryEvidence5

Sets the relevant Windows registry keys to downgrade Outlook security and allow the malicious project to load automatically each time Microsoft Outlook launches.

T1137.003Outlook FormsEvidence3

“Writes the decrypted VBA project (MiniDoor) to %appdata%\Microsoft\Outlook\VbaProject.OTM… allow the malicious project to load automatically each time Microsoft Outlook launches.”

T1546.015Component Object Model HijackingEvidence1

"To ensure persistence, attackers use COM hijacking. They register their malicious file under a legitimate name, forcing the OS to load it when Explorer restarts."

Privilege Escalation

1 technique
T1546.015Component Object Model HijackingEvidence1

"To ensure persistence, attackers use COM hijacking. They register their malicious file under a legitimate name, forcing the OS to load it when Explorer restarts."

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence2

“Strings decrypted using a hardcoded 1-byte XOR key… rolling XOR key…” and “Strings in this sample are XOR-encoded… and then Base64-encoded.”

T1070Indicator RemovalEvidence1

"Deleting these messages from the ‘Sent’ folder so the victim never knows they were targeted."

T1480.002Mutual ExclusionEvidence1

“Creates a mutex with the static name adjgfenkbe.” / “Creates a mutex with the name asagdugughi41.” / “Creates a mutex named dvyubgbqfusdv32.”

Defense Impairment

1 technique
T1112Modify RegistryEvidence5

Sets the relevant Windows registry keys to downgrade Outlook security and allow the malicious project to load automatically each time Microsoft Outlook launches.

Collection

1 technique
T1114Email CollectionEvidence5

MiniDoor’s primary goal is to steal the user’s emails and forward them to the threat actor.

Command and Control

3 techniques
T1090.002External ProxyEvidence1

The threat actor employed server-side evasion techniques, responding with the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header.

T1105Ingress Tool TransferEvidence4

"Once a victim opens it, the file triggers the vulnerability and silently downloads a dropper."

T1573Encrypted ChannelEvidence1

"This communication is often encrypted to avoid detection."

Exfiltration

3 techniques
T1041Exfiltration Over C2 ChannelEvidence2

MiniDoor is a C++-based DLL file that steals a user's emails in various folders (Inbox, Junk, and Drafts) and forwards them to two hard-coded threat actor email addresses

T1048Exfiltration Over Alternative ProtocolEvidence1

Drafts a new email, attaches temp_email.msg, and sends the email to both configured recipient addresses.

T1048.003Exfiltration Over Unencrypted Non-C2 ProtocolEvidence2

“Drafts a new email, attaches temp_email.msg, and sends the email to both configured recipient addresses.”

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
security affairsNews
Feb 24, 2026
Operation MacroMaze: APT28 exploits webhooks for covert data exfiltration

An implant/backdoor payload deployed via weaponized RTF lures in the referenced Operation Neusploit activity targeting Central and Eastern Europe.

Read more
cyber security newsNews
Feb 10, 2026
Fancy Bear Hackers Exploiting Microsoft Zero-Day Vulnerability to Deploy Backdoors and Email Stealers

Backdoor/email-stealing tool deployed via a dropper DLL; modifies registry keys to weaken Microsoft Outlook security and enables theft/exfiltration of emails, supporting long-term espionage access.

Read more
polyswarmNews
Feb 9, 2026
Fancy Bear Leveraging CVE-2026-21509 in Operation Neusploit

Lightweight 64-bit DLL that drops an encrypted Outlook VBA project, weakens Outlook macro security via registry changes, and automates email collection and exfiltration by forwarding messages to actor-controlled addresses while avoiding Sent-folder artifacts and duplicate forwarding.

Read more
the record mediaNews
Feb 5, 2026
Russian hackers targeting European maritime and transport orgs using Microsoft Office exploit | The Record from Recorded Future News

Malware used to steal email data from infected systems as part of an APT28 spearphishing/exploit chain.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping18

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.