Cybersecurity researchers uncovered a new espionage campaign by a Russia-linked group. APT28 attacked specific organizations in Western and Central Europe. They used simple yet effective macro malware in targeted phishing emails.
Campaign Timeline and Name
The operation lasted from September 2025 to January 2026. Researchers named it Operation MacroMaze. Attackers focused on basic tools and legitimate web services. They relied heavily on webhook.site for tracking victims and stealing data.
This campaign showed clear evolution over time. Early attacks used different evasion methods. Later versions improved stealth significantly. For example, they added keyboard simulation to handle security prompts better.
Spear-Phishing Delivery Method
APT28 sent carefully crafted spear-phishing emails. Each email contained a lure document as an attachment. The document used a special XML field called INCLUDEPICTURE. This field pointed to a remote JPG image hosted on webhook.site.
When victims opened the file, Word fetched the image automatically. This created an outbound HTTP request to the attacker’s server. The server logged important metadata from the request. Therefore, attackers instantly knew the document had been opened successfully.
Macro as Initial Dropper
All lure documents hid malicious VBA macros. These macros acted as droppers to gain a foothold. They executed step-by-step to deliver more payloads. The core macro logic stayed mostly the same across samples.
However, attackers constantly refined evasion techniques. Older macros ran browsers in headless mode. Newer ones switched to SendKeys for mouse and keyboard simulation. This change helped bypass modern endpoint protections more reliably.
The macro first launched a small Visual Basic Script. This VBScript executed a CMD file quietly. The CMD created persistence using scheduled tasks. It then ran a batch script to continue the attack.
The batch script prepared a tiny Base64-encoded HTML payload. It opened Microsoft Edge either in headless mode or off-screen. Edge fetched a command from webhook.site without user interaction. The command executed on the victim machine and captured output.
Clever Exfiltration Technique
The batch collected the command results. It submitted them through a hidden HTML form. Edge rendered this form in a controlled environment. The form posted data back to another webhook.site endpoint.
This browser-based method used standard HTML features. It left almost no detectable files on disk. Attackers avoided custom C2 servers completely. Therefore, the whole chain stayed very low-profile and hard to trace.
Power of Simplicity
The attackers chose everyday tools deliberately. They combined batch files, tiny VBS launchers, and basic HTML. Careful design maximized stealth throughout. Hidden browser sessions and automatic cleanup reduced forensic traces significantly.
Webhook.site provided free, trusted infrastructure. No suspicious domains raised alarms. Consequently, the campaign remained effective over many months. Simplicity proved more powerful than complex custom malware.
Prevention Strategies
Organizations can stop these attacks with layered defenses. First, disable macros by default in all Office applications. Train employees to never enable macros in unexpected documents. Moreover, use continuous monitoring to detect suspicious webhook.site connections, headless Edge processes, scheduled task creation, or unusual outbound HTTP requests early.
Block non-essential external image loading in Office files. Enforce strict script execution policies and review logs regularly. These steps significantly lower the success rate of macro-based phishing and espionage campaigns like Operation MacroMaze.
Sleep well, we got you covered.
