Russia-linked state-sponsored threat actor APT28 has launched a new campaign targeting specific entities across Western and Central Europe.
According to S2 Grupo‘s LAB52 threat intelligence team, the activity ran between September 2025 and January 2026. Researchers have codenamed the campaign Operation MacroMaze.
“The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration,” the cybersecurity company said.
At the outset, the attackers use spear-phishing emails to deliver lure documents. These files contain a shared structural element within their XML: a field named “INCLUDEPICTURE” that points to a webhook[.]site URL hosting a JPG image.
When the target opens the document, the system automatically retrieves the image from the remote server. As a result, this technique effectively functions as a beaconing mechanism similar to a tracking pixel, triggering an outbound HTTP request to the webhook[.]site URL.
Consequently, the server operator logs metadata tied to the request and confirms that the recipient opened the document.
Macro Variants and Evasion Evolution
Furthermore, LAB52 identified multiple documents featuring slightly modified macros between late September 2025 and January 2026. Each document acts as a dropper, establishes a foothold on the compromised host, and delivers additional payloads.
“While the core logic of all the macros detected remains consistent, the scripts show an evolution in evasion techniques, ranging from ‘headless’ browser execution in the older version to the use of keyboard simulation (SendKeys) in the newer versions to potentially bypass security prompts,” the Spanish cybersecurity company explained.
Multi-Stage Execution and Browser-Based Exfiltration
Next, the macro executes a Visual Basic Script (VBScript) to advance the infection chain. The VBScript then runs a CMD file, which establishes persistence through scheduled tasks and launches a batch script.
Subsequently, the batch script renders a small Base64-encoded HTML payload in Microsoft Edge running in headless mode to evade detection. The script retrieves a command from the webhook[.]site endpoint, executes it, captures the output, and exfiltrates the data to another webhook[.]site instance as an HTML file.
Meanwhile, researchers uncovered a second batch-script variant that avoids headless execution. Instead, it moves the browser window off-screen and aggressively terminates all other Edge processes to maintain a controlled environment.
“When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction,” LAB52 said. “This browser-based exfiltration technique leverages standard HTML functionality to transmit data while minimizing detectable artifacts on disk.”
Ultimately, the campaign Underscores how Attackers Maximize impact with minimal complexity.
“This campaign proves that simplicity can be powerful. The attacker uses very basic tools (batch files, tiny VBS launchers and simple HTML) but arranges them with care to maximise stealth: Moving operations into hidden or off-screen browser sessions, cleaning up artifacts, and outsourcing both payload delivery and data exfiltration to widely used webhook services.”
Source: TheHackerNews
Read more at Impreza News
