Fancy Bear Gonepostal – Espionage Tool Provides Backdoor Access to Microsoft Outlook

    Friday, September 12, 2025 In: Threat Research Print

    Date: 09/12/2025

    Severity: High

    Summary

    The Gonepostal malware has been observed in an espionage campaign linked to KTA007 (aka Fancy Bear/APT28), a Russian state-sponsored group tied to GRU Unit 26165. The malware consists of a dropper DLL and a password-protected Outlook macro file (VbaProject.OTM) that enables backdoor access via email-based C2. KTA007 is known for high-profile cyberattacks and employs tactics such as zero-day exploits, spear phishing, and the use of both custom and commercial malware.

    Indicators of Compromise (IOC) List

    URL/Domain

    dnshook.site

    webhook.site

    oast.fun

    Hash

    8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901

    5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705

    106c7873db17e4542022245eea148f815ce547c36523861dddb50103c65d8b07

    2dc21fab89bca42d2de4711a7ef367f1

    3e966f088d46a0eb482e3dc4af266c0f

    Email

    a.matti444@proton.me

    Hostname

    run.mocky.io

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "dnshook.site" or siteurl like "dnshook.site" or url like "dnshook.site" or domainname like "webhook.site" or siteurl like "webhook.site" or url like "webhook.site" or domainname like "oast.fun" or siteurl like "oast.fun" or url like "oast.fun"

    Detection Query 2 :

    sha256 IN ("8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901","5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705","106c7873db17e4542022245eea148f815ce547c36523861dddb50103c65d8b07")

    Detection Query 3 :

    md5hash IN ("2dc21fab89bca42d2de4711a7ef367f1","3e966f088d46a0eb482e3dc4af266c0f")

    Detection Query 4 :

    sender like "a.matti444@proton.me" or recipient like “a.matti444@proton.me"

    Detection Query 5 :

    hostname like "run.mocky.io"

    Reference:    

    https://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook 

    https://otx.alienvault.com/pulse/68c1ad318163d504868fc59e


    Tags

    MalwarePhishingSpear PhishingGONEPOSTALAPT28Fancy BearRussiaKTA007Microsoft OutlookBackdoorGRU Unit 26165Exploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.