• APT28 Targeted European Entities Using Webhook-Based Macro Malware The Russia-linkedstate-sponsored threat actortracked asAPT28has been attributed to a new campaign targeting specific entities in Western and Central Europe. • The activity, per S2 Grupo’s LAB52 threat intelligence team, was active between September 2025 and January 2026. • It has been codenamedOperation MacroMaze. • “The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration,” the cybersecurity companysaid. • The attack chains employ spear-phishing emails as a starting point to distribute lure documents that contain a common structural element within their XML, a field named “INCLUDEPICTURE” that points to a webhook[.]site URL that hosts a JPG image. • This, in turn, causes the image file to be fetched from the remote server when the document is opened.

Article Summaries:

  • APT28, a Russia‑linked threat actor, launched “Operation MacroMaze” from September 2025 to January 2026, targeting selected Western and Central European entities. The campaign began with spear‑phishing emails that delivered Word documents containing an XML field (INCLUDEPICTURE) pointing to a webhook‑site URL. Opening the document triggers a hidden HTTP request, confirming receipt. The embedded macros drop a VBScript that creates a scheduled‑task persistence layer and launches a batch script to render a Base64‑encoded HTML page in Microsoft Edge. The page retrieves commands from the webhook, executes them, and exfiltrates output back to the same service. Variants evolved from headless browser execution to off‑screen windows and keyboard simulation to evade detection. The operators rely on simple, widely available tools-batch files, VBS, and standard HTML-to maximize stealth and minimize on‑disk artifacts.
  • Russia‑linked threat actor APT28 launched “Operation MacroMaze,” a campaign that ran from September 2025 to January 2026 and targeted specific entities in Western and Central Europe. The attack began with spear‑phishing emails containing lure documents that use an XML field pointing to a webhook‑based URL hosting a JPG image. Opening the document triggers a beaconing request, allowing the operator to confirm receipt. The embedded macro drops a VBScript that creates scheduled‑task persistence and launches headless or off‑screen Microsoft Edge sessions to render Base64‑encoded HTML, retrieve commands from the webhook, and exfiltrate output back to the same service. Variants show evolving evasion tactics, such as keyboard simulation and process termination, while keeping the overall toolset simple.

Sources: