The Russian state-backed cyber threat group known as APT28 has launched a fresh campaign aimed at organizations in Western and Central Europe. According to insights from S2 Grupo’s LAB52 threat intelligence team, this operation, labeled Operation MacroMaze, was active between September 2025 and January 2026. It exploits basic tools and legitimate services to breach infrastructure and extract data.
Operation MacroMaze Unveiled
The campaign begins with spear-phishing emails that distribute documents equipped with a macro. These documents include an XML field called “INCLUDEPICTURE,” which refers to a URL on webhook[.]site that hosts an image file. When the document is opened, the image is fetched, initiating an HTTP request to the server and allowing operators to log metadata, confirming the recipient has opened the file.
LAB52 observed several documents containing modified macros during the operation period. These macros serve as a dropper, establishing a foothold on the target system to deploy further payloads. Although the fundamental operation of these macros remains unchanged, there is a noticeable evolution in their evasion tactics.
Advanced Evasion Techniques
Originally, the macros utilized ‘headless’ browser execution, but newer versions employ keyboard simulation to potentially bypass security alerts. The macro executes a Visual Basic Script, advancing the infection by running a CMD file that uses scheduled tasks to ensure persistence. Additionally, it launches a batch script, which processes a Base64-encoded HTML payload in Microsoft Edge in headless mode, retrieves commands from the webhook endpoint, executes them, and sends output to another webhook instance.
An alternative batch script version avoids headless mode, instead relocating the browser window off-screen while terminating other Edge processes. This ensures a controlled environment for the exfiltration process.
Simplicity in Complexity
LAB52 describes this browser-based exfiltration as using standard HTML features to transmit data with minimal disk traces. The campaign demonstrates how straightforward tools like batch files, small VBS launchers, and simple HTML can be effectively combined to create a stealthy attack. Operations are concealed in hidden browser sessions, artifacts are minimized, and both payload delivery and data exfiltration are outsourced to common webhook services.
APT28’s approach highlights the power of simplicity in cyber attacks. By leveraging uncomplicated yet ingenious tactics, the group effectively maximizes stealth and efficiency, posing a significant threat to targeted entities in Europe.
