Analyzing NotDoor: Inside APT28’s Expanding Arsenal

LAB52 (S2 Grupo) describes 'NotDoor', an Outlook VBA backdoor attributed to APT28 that is deployed via DLL side‑loading of a signed OneDrive.exe. The backdoor installs a VBA project (VbaProject.OTM), disables macro/security dialogs, monitors incoming emails for configured trigger strings (e.g., "Daily Report"), and supports commands to exfiltrate files, upload files, and execute commands; the report includes registry persistence details, obfuscation/encoding methods, and IOCs (file hashes, paths, and an exfiltration email).