Russia-linked APT28 (also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has launched a sophisticated espionage campaign targeting entities across Western and Central Europe. The operation, codenamed Operation MacroMaze by S2 Grupo’s LAB52 threat intelligence team, was active between September 2025 and January 2026.
Campaign Overview
Operation MacroMaze demonstrates that simplicity can be powerful in cyber espionage. Rather than deploying complex, custom malware, APT28 leveraged basic tooling—batch files, VBS launchers, and simple HTML—arranged with precision to maximize stealth and evade detection.
The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration, LAB52 reported.
Attack Chain Details
The attack chains follow this progression:
- Spear-Phishing Delivery: Targets receive emails with lure documents containing a structural XML element named INCLUDEPICTURE pointing to a webhook site URL
- Tracking Mechanism: When the document opens, it fetches a JPG image from the remote server, acting as a beaconing mechanism similar to a tracking pixel
- Macro Execution: Multiple document variants with slightly tweaked macros function as droppers to establish foothold and deliver additional payloads
- Evasion Evolution: The scripts show evolution from headless browser execution to keyboard simulation (SendKeys) in newer versions to bypass security prompts
Technical Sophistication
The macro executes a Visual Basic Script (VBScript) that:
- Runs a CMD file to establish persistence via scheduled tasks
- Launches a batch script rendering Base64-encoded HTML payload in Microsoft Edge headless mode
- Retrieves commands from webhook site endpoint
- Captures command output and exfiltrates to another webhook instance via HTML file
A second variant eschews headless execution, moving the browser window off-screen instead, followed by aggressively terminating other Edge browser processes to ensure a controlled environment.
Browser-Based Exfiltration
When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction. This browser-based exfiltration technique leverages standard HTML functionality to transmit data while minimizing detectable artifacts on disk.
Defensive Implications
The campaign highlights several critical points for defenders:
- Legitimate Service Abuse: Using webhook services for both payload delivery and data exfiltration makes detection challenging since these are legitimate services
- Macro Threats Persist: Despite years of warnings, macro-laced documents remain an effective initial access vector
- Browser as Attack Surface: Hidden or off-screen browser sessions provide a stealthy mechanism for command execution and data theft
- Artifact Minimization: Browser-based exfiltration creates minimal on-disk forensic artifacts
Indicators and Attribution
APT28 is a well-documented Russian state-sponsored threat actor linked to the GRU (Russias military intelligence agency). The group has been active since at least 2004 and has targeted government, military, and security organizations worldwide.
Organizations in Western and Central Europe should review their security controls around:
- Document macro execution policies
- Network connections to webhook services
- Unusual Edge browser behavior or hidden window execution
- Scheduled task creation from document processes
Source: The Hacker News
