Analytics Story: NotDoor Malware

Date: 2025-09-09 ID: 9f01c0ab-f057-477f-980b-ffb72beb10ab Author: Raven Tait, Splunk Product: Splunk Enterprise Security

Description

NotDoor is an Outlook backdoor associated with APT28 who is known for breaching organizations across multiple sectors in NATO member states. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NotDoor's presence. These activities include tracking file write operations for dropped macros, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, and other malicious actions.

Why it matters

APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their latest campaign involved the malware, named NotDoor for its use of the term “Nothing” in its code, which is implemented as a VBA macro for Outlook. It monitors incoming emails for a predefined trigger word, and upon detection, allows attackers to exfiltrate data, upload files, and execute commands on the compromised system.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Outlook Dialogs Disabled from Unusual Process	Modify Registry, Impair Defenses	TTP
Windows Outlook LoadMacroProviderOnBoot Persistence	Modify Registry, Office Application Startup	TTP
Windows Outlook Macro Created by Suspicious Process	Office Application Startup, Visual Basic	TTP
Windows Outlook Macro Security Modified	Office Application Startup, Fallback Channels	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

Source: GitHub | Version: 1