GONEPOSTAL (Malware Family)

GONEPOSTAL

aka: Cordyceps, NOTDOOR

Actor(s): APT28

The malware consists of a dropper DLL and an obfuscated, password protected VbaProject.OTM file, which houses macros written for Microsoft Outlook. The malware was originally written by Greg Linares as a backdoor POC called Cordyceps, and presented at Hushcon in 2017.

References

2026-02-04 ⋅ StrikeReady ⋅ Alex Lanstein, Pham Duy Phuc
APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure
GONEPOSTAL GRUNT

2026-02-04 ⋅ Trellix ⋅ Alex Lanstein, Pham Duy Phuc
APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure
GONEPOSTAL GRUNT

2025-09-05 ⋅ Kroll ⋅ Dave Truman, Marc Messer
FANCY BEAR GONEPOSTAL – Espionage Tool Provides Backdoor Access to Microsoft Outlook
GONEPOSTAL

2025-09-04 ⋅ Twitter (@Laughing_Mantis) ⋅ Greg Linares
Tweet on similarity between GONEPOSTAL/NotDoor and Cordyceps
GONEPOSTAL

2025-09-03 ⋅ Lab52 ⋅ Lab52
Analyzing NotDoor: Inside APT28’s Expanding Arsenal
GONEPOSTAL

2017-01-01 ⋅ Twitter (@Laughing_Mantis) ⋅ Dagmar Knechtel, Greg Linares
Next Gen Office Malware v2.0
GONEPOSTAL

There is no Yara-Signature yet.

GONEPOSTAL Propose Change

References

GONEPOSTAL