GONEPOSTAL (Malware Family)

GONEPOSTAL

aka: Cordyceps, NOTDOOR

Actor(s): APT28

The malware consists of a dropper DLL and an obfuscated, password protected VbaProject.OTM file, which houses macros written for Microsoft Outlook. The malware was originally written by Greg Linares as a backdoor POC called Cordyceps, and presented at Hushcon in 2017.

References

2025-09-04 ⋅ Twitter (@Laughing_Mantis) ⋅ Greg Linares
Tweet on similarity between GONEPOSTAL/NotDoor and Cordyceps
GONEPOSTAL

2025-09-03 ⋅ Lab52 ⋅ Lab52
Analyzing NotDoor: Inside APT28’s Expanding Arsenal
GONEPOSTAL

2025-05-01 ⋅ Kroll ⋅ Dave Truman, Marc Messer
FANCY BEAR GONEPOSTAL – Espionage Tool Provides Backdoor Access to Microsoft Outlook
GONEPOSTAL

2017-01-01 ⋅ Twitter (@Laughing_Mantis) ⋅ Dagmar Knechtel, Greg Linares
Next Gen Office Malware v2.0
GONEPOSTAL

There is no Yara-Signature yet.

GONEPOSTAL Propose Change

References

GONEPOSTAL