The Reveal Platform
Intel Name: Fancy bear gonepostal – espionage tool provides backdoor access to microsoft outlook
Date of Scan: September 12, 2025
Impact: High
Summary: The Gonepostal malware has been observed in an espionage campaign linked to KTA007 (aka Fancy Bear/APT28), a Russian state-sponsored group tied to GRU Unit 26165. The malware consists of a dropper DLL and a password-protected Outlook macro file (VbaProject.OTM) that enables backdoor access via email-based C2. KTA007 is known for high-profile cyberattacks and employs tactics such as zero-day exploits, spear phishing, and the use of both custom and commercial malware.
