A state sponsored cyber espionage group known as APT28 has been linked to a fresh cyber campaign directed at selected entities across Western and Central Europe. The operation, identified by the threat intelligence unit LAB52 of S2 Grupo, remained active from September 2025 through January 2026.
Researchers have named the activity Operation MacroMaze, highlighting its structured yet deceptively simple infection strategy. According to investigators, the campaign relies on basic attack tools while abusing legitimate online services for command control and data exfiltration.
Spear Phishing and Webhook Tracking Mechanism
The attack begins with carefully crafted spear phishing emails designed to lure specific targets. Victims receive malicious documents containing a hidden XML element labeled INCLUDEPICTURE. This field references a webhook[.]site URL that hosts a JPG image.
When the document is opened, the image is automatically retrieved from the remote server. Although it appears harmless, this action silently triggers an outbound HTTP request. This functions similarly to a tracking pixel, allowing attackers to confirm that the document has been opened and to log request metadata.
This subtle validation step enables threat actors to identify active targets before deploying further payloads.
Evolving Macro Techniques to Evade Detection
LAB52 analysts discovered multiple document samples between late September 2025 and early 2026. While the core macro logic remained consistent, noticeable refinements were observed in evasion tactics.
Earlier versions relied on headless browser execution. Newer iterations adopted keyboard simulation techniques using SendKeys to potentially bypass security prompts. These adjustments demonstrate gradual improvements aimed at avoiding detection by endpoint protection solutions.
Each malicious macro acts as a dropper, establishing initial access and preparing the compromised system for additional payload delivery.
Multi Stage Execution Chain
The macro initiates a Visual Basic Script that advances the infection process. This VBScript launches a CMD file responsible for creating persistence through scheduled tasks. It then executes a batch script designed to process a small Base64 encoded HTML payload in Microsoft Edge operating in headless mode.
This approach helps minimize visible system activity while enabling the attacker to retrieve commands from a webhook[.]site endpoint. Once a command is received, the malware executes it, captures the output, and exfiltrates the data to another webhook instance as an HTML file.
A second variation of the batch script avoids headless mode. Instead, it moves the browser window off screen and forcibly terminates other Edge processes to ensure a controlled execution environment.
Browser Based Data Exfiltration
When the generated HTML file is rendered by Microsoft Edge, an embedded form automatically submits collected command output to the attacker controlled webhook endpoint. This process occurs without user interaction.
By leveraging standard HTML capabilities for data transmission, the attackers reduce suspicious artifacts on disk and blend malicious activity into normal web traffic patterns.
Security researchers emphasized that this campaign demonstrates how even simple scripting tools such as batch files, lightweight VBS launchers, and minimal HTML code can achieve high operational stealth when carefully orchestrated.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
