Russian-backed cyber espionage tool NotDoor has recently surfaced and is attacking firms in NATO member countries. APT28, the infamous Russian cyber unit, among them NotDoor. We achieve this through a Visual Basic for Applications (VBA) macro embedded within Microsoft Outlook. This malicious software aggressively scans incoming emails looking for a trigger word. Once its detection identifies the presence of this word, attackers can run commands, download files, and upload data from infected machines.
Spanish cybersecurity firm LAB52 performed an analysis of NotDoor, finding it to be a sophisticated and dangerous DoH malware. Kroll first found the NotDoor campaign on September 5, 2025. This recent finding further proves that the threat is not just random, but rather actively seeking out specific targets to the rescue. As striking as its advanced architecture is, NotDoor is a powerful reminder of the increasingly complex cyber threat environment facing organizations in every NATO country.
Functionality of NotDoor
NotDoor works by listening for incoming messages and parsing them to check for a specifically defined trigger string. For example, if you have a trigger you use frequently, like Daily Report, make it something easy to recall. Upon detecting this string, the malware pulls out hastily embedded commands and executes them. The four commands supported by NotDoor include:
- cmd: Executes commands and returns the standard output as an email attachment.
- cmdno: Executes commands without returning output.
- dwn: Exfiltrates files from the victim’s computer, sending them as email attachments.
- upl: Drops files onto the victim’s computer.
Today’s tool provides attackers with extensive control over the infected IT system. They have unlimited resources to twist data and perform additional incursions with hardly any effort.
“NotDoor is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word.” – S2 Grupo’s LAB52 threat intelligence team
The name of the tool is derived from the word “Nothing,” which features prominently in its source code. This decision draws attention to the red-herring convolution techniques favored by its creators. As an obfuscated VBA project, NotDoor makes use of the Application object model to carry out various malicious tasks successfully.
Cyber Espionage Campaigns
NotDoor’s most notable alleged use was in a cyber espionage campaign against the pharma company AstraZeneca. This incident highlights its disturbing ability to penetrate sensitive communications. LAB52’s analysis adds color to just how stealthy these operations have been. They abuse benign platforms, like Outlook, for command and control.
NFF’s Marc Messer and Dave Truman pointed out that this campaign is a perfect example of “living-off-the-land.” It takes regular business practices and tools and simply weaponizes them to nefarious ends. They raised alarms that these approaches render it more difficult to identify unauthorized access.
“When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer.” – S2 Grupo’s LAB52 threat intelligence team
Beyond its email surveillance features, NotDoor uses Telegram-owned Telegraph as a dead-drop resolver in other campaigns. This method creates an environment in which attackers can obfuscate their actions and communications behind the scenes without attracting abnormal behavior.
Evolving Threat Landscape
The sophistication of tools such as NotDoor is a testament to the evolution cyber threats organizations across the globe are facing today. With the evolution of cybercriminals’ tactics for exploitation, the impact on data security is more dire than ever.
Because of NotDoor’s capacity to use otherwise legitimate email services, this means that communications can be intercepted without even being detected. An unnamed source noted that “first, the original C2 server IP is completely masked by Microsoft’s relay nodes, blocking threat intelligence tracebacks based on IP reputation.”
Additionally, the fast infrastructure turnover made possible by cloud services allows attackers to maintain round-the-clock operations with little risk of detection. This flexibility makes them more durable and impactful in targeting susceptible nonprofits.
“The campaign is a good example of living-off-the-land, using common business tools and methods of communication for command and control.” – Marc Messer and Dave Truman