A Russian-affiliated state-sponsored threat actor tracked as APT28 is believed to be involved in a new campaign targeting specific organizations in Western and Central Europe.
According to S2 Grupo’s LAB52 threat intelligence team, this activity was active from September 2025 to January 2026. The code name is “Operation MacroMaze”. “This campaign relies on basic tools and exploitation of legitimate services for infrastructure and data theft,” the cybersecurity firm said.
The attack chain uses a spear-phishing email as a starting point to distribute a decoy document that contains a common structural element within the XML (a field named “INCLUDEPICTURE” that points to a webhook).[.]URL of the site hosting the JPG image. This will fetch the image file from the remote server when the document is opened.
In other words, this mechanism acts as a beacon mechanism similar to a tracking pixel that triggers outbound HTTP requests to webhooks.[.]URL of the site when opening the document. The server operator can log metadata associated with the request and verify that the document was actually opened by the recipient.
According to LAB52, multiple documents have been identified between late September 2025 and January 2026 containing slightly tailored macros, all of which act as droppers to establish a foothold on compromised hosts and deliver additional payloads.
“Although the core logic of all detected macros is consistent, the scripts show an evolution in evasion techniques, from running a ‘headless’ browser in older versions to using keyboard simulation (SendKeys) in newer versions, which can potentially bypass security prompts,” the Spanish cybersecurity firm explained.
This macro is designed to execute Visual Basic Script (VBScript) to advance the infection to the next stage. The script runs a CMD file to establish persistence via a scheduled task, launches a batch script that renders a small Base64-encoded HTML payload in Microsoft Edge in headless mode to avoid detection, and retrieves commands from a webhook.[.]Run your site’s endpoint, capture and extract it to another webhook.[.]A site instance in HTML file format.
A second variant of the batch script was found to avoid headless execution in favor of moving the browser window off-screen, and then aggressively terminate all other Edge browser processes to ensure a controlled environment.
“When the resulting HTML file is rendered by Microsoft Edge, the form is submitted and the collected command output is spilled to a remote webhook endpoint without user interaction,” LAB52 said. “This browser-based exfiltration technology leverages standard HTML functionality to transmit data with minimal detectable artifacts on disk.”
“This campaign proves that simplicity is powerful. The attackers use very basic tools (batch files, small VBS launchers, and simple HTML) but place them carefully to maximize stealth. They move operations to hidden or off-screen browser sessions, clean up artifacts, and outsource both payload delivery and data exfiltration to widely used webhook services.”
Source link
