216.73.216.133

Analyzing NotDoor: Inside APT28's Expanding Arsenal

· Published 03/09/2025 17:31 · Modified 03/09/2025 20:17

Export JSON

Essential information

Published
03/09/2025 17:31
Modified
03/09/2025 20:17
Tags
2025-09-03 backdoor dll side-loading exfiltration nato notdoor obfuscation outlook persistence vba macro
Related entities
2 observables, 1 intrusion sets (apt), 10 techniques (mitre)

Description

LAB52 has identified a new called , attributed to APT28, a Russian intelligence-linked threat group. is a for that monitors incoming emails for specific trigger words, enabling data , file uploads, and command execution on victim computers. The is deployed via Microsoft OneDrive.exe using , and it establishes by modifying registry keys. employs techniques and a custom string encoding method. It can execute commands, exfiltrate files, and upload files to the victim's machine. The malware demonstrates APT28's continuous evolution in bypassing defense mechanisms, posing a significant threat to member countries across various sectors.

External references