APT28 NotDoor Cloud C2 Campaign
APT28 espionage campaign targeting European military and maritime organisations weaponising CVE-2026-21509 within 24 hours of disclosure. Features novel Outlook VBA backdoor NotDoor and abuse of cloud storage filen.io as C2 infrastructure.
Start date
1 January 2026
End date
—
Techniques
18
Attributed actors
Techniques (18)
collection1
T1114.002Remote Email Collection
command-and-control4
T1102.002Bidirectional Communication
T1573.002Asymmetric Cryptography
T1105Ingress Tool Transfer
T1071.001Web Protocols
defense-impairment1
T1070.001Clear Windows Event Logs
discovery2
T1082System Information Discovery
T1083File and Directory Discovery
execution2
T1059.003Windows Command Shell
T1059.001PowerShell
exfiltration1
T1041Exfiltration Over C2 Channel
initial-access2
T1566.001Spearphishing Attachment
T1190Exploit Public-Facing Application
persistence1
T1547.001Registry Run Keys / Startup Folder
privilege-escalation2
T1547.001Registry Run Keys / Startup Folder
T1055Process Injection
stealth4
T1140Deobfuscate/Decode Files or Information
T1070.004File Deletion
T1055Process Injection
T1027Obfuscated Files or Information
Indicators of compromise
No IOCs linked to this campaign yet.