APT28 Targets European Entities with Operation MacroMaze Webhook Malware Campaign

Russia’s notorious state-sponsored threat actor APT28 (also known as Fancy Bear) has been attributed to a sophisticated new campaign targeting organizations across Western and Central Europe.

According to S2 Grupo’s LAB52 threat intelligence team, the campaign—codenamed Operation MacroMaze—was active between September 2025 and January 2026. What makes this campaign notable is its reliance on basic but effective tooling combined with legitimate services for infrastructure and data exfiltration.

Attack Chain Breakdown

The attack begins with spear-phishing emails distributing lure documents containing a hidden structural element within their XML—a field named “INCLUDEPICTURE” that points to a webhook[.]site URL hosting a JPG image. When the document is opened, this mechanism acts as a beaconing mechanism similar to a tracking pixel, confirming to the attackers that the recipient opened the document.

The campaign uses evolving macro techniques, including:

Headless browser execution in older versions
Keyboard simulation (SendKeys) in newer versions to bypass security prompts
Visual Basic Script (VBScript) execution for staging
Scheduled tasks for persistence
Browser-based exfiltration using Microsoft Edge in headless mode

Sophisticated Evasion Techniques

The attackers demonstrate careful operational security by moving browser sessions off-screen and aggressively terminating competing Edge processes to maintain a controlled environment. Data exfiltration leverages standard HTML form submission functionality, minimizing detectable artifacts on disk.

“This campaign proves that simplicity can be powerful,” LAB52 noted. “The attacker uses very basic tools (batch files, tiny VBS launchers and simple HTML) but arranges them with care to maximise stealth.“