The Russia-linked threat actor APT28 recently executed a cyber espionage campaign titled Operation MacroMaze targeting Western and Central European organizations. Between September 2025 and January 2026, the group utilized spear-phishing emails containing lure documents that leveraged remote image fetching and evolving macro scripts to exfiltrate data via legitimate webhook services.
Operation MacroMaze began with spear-phishing emails containing documents designed to notify attackers the moment they were accessed. By including a specific field within the document XML that pointed to a remote image, the attackers created a beaconing mechanism similar to a tracking pixel. When a recipient opened the file, an outbound request was automatically triggered to a webhook service, allowing the threat actors to log metadata and confirm that their target was active and the initial breach was successful.
The campaign relied on macro-enabled documents that functioned as droppers to establish a persistent foothold on compromised systems. Throughout the operation, the attackers refined these macros to improve their ability to bypass security measures. Earlier versions of the scripts utilized headless browser execution to remain invisible, while more recent iterations adopted keyboard simulation techniques to navigate security prompts and interact with the operating system without triggering traditional defensive alerts.
Once the macro was activated, it initiated a multi-stage infection process starting with a VBScript that executed various command files. To ensure the attack survived a system reboot, the script created scheduled tasks and launched batch files. These batch files were responsible for rendering encoded HTML payloads within Microsoft Edge. In some instances, the attackers used headless mode for stealth, while in others, they physically moved the browser window off-screen and terminated competing processes to create a controlled environment for their malicious activity.
The final stage of the attack involved using the web browser as a tool for both command reception and data theft. The malicious scripts instructed the browser to retrieve specific commands from a remote endpoint and execute them on the local machine. The output of these commands was then packaged into an HTML file and submitted through a web form. This technique allowed the attackers to send stolen data back to their servers using standard web traffic, which often blends in with legitimate network activity.
By employing simple tools like batch files and VBScript alongside legitimate infrastructure, APT28 demonstrated how basic methods can remain highly effective for state-sponsored espionage. The use of common webhook services for exfiltration and the manipulation of browser sessions to hide activity minimized the number of suspicious files left on the victim’s disk. This strategic blend of simplicity and careful execution allowed the group to maintain a low profile while successfully targeting high-value entities across Europe.
Source: APT28 Targets European Entities With Webhook-Based Macro Malware