The Russia-linked state-sponsored risk actor tracked as APT28 has been attributed to a brand new marketing campaign focusing on particular entities in Western and Central Europe.
The exercise, per S2 Grupo’s LAB52 risk intelligence group, was energetic between September 2025 and January 2026. It has been codenamed Operation MacroMaze. “The marketing campaign depends on fundamental tooling and the exploitation of legit providers for infrastructure and information exfiltration,” the cybersecurity firm stated.
The assault chains make use of spear-phishing emails as a place to begin to distribute lure paperwork that comprise a typical structural aspect inside their XML, a discipline named “INCLUDEPICTURE” that factors to a webhook[.]web site URL that hosts a JPG picture. This, in flip, causes the picture file to be fetched from the distant server when the doc is opened.
Put otherwise, this mechanism acts as a beaconing mechanism akin to a monitoring pixel that triggers an outbound HTTP request to the webhook[.]web site URL upon opening the doc. The server operator can log metadata related to the request, confirming that the doc was certainly opened by the recipient.
LAB52 stated it recognized a number of paperwork with barely tweaked macros between late September 2025 and January 2026, all of which perform as a dropper to ascertain a foothold on the compromised host and ship further payloads.
“Whereas the core logic of all of the macros detected stays constant, the scripts present an evolution in evasion methods, starting from ‘headless’ browser execution within the older model to using keyboard simulation (SendKeys) within the newer variations to doubtlessly bypass safety prompts,” the Spanish cybersecurity firm defined.
The macro is designed to execute a Visible Fundamental Script (VBScript) to maneuver the an infection to the following stage. The script, for its half, runs a CMD file to ascertain persistence by way of scheduled duties and launch a batch script for rendering a small Base64-encoded HTML payload in Microsoft Edge in headless mode to evade detection, retrieve a command from the webhook[.]web site endpoint, execute it, seize its out, and exfiltrate it to a different webhook[.]web site occasion within the type of an HTML file.
A second variant of the batch script has been discovered to eschew headless execution in favor of transferring the browser window off-screen, adopted by aggressively terminating all different Edge browser processes to make sure a managed surroundings.
“When the ensuing HTML file is rendered by Microsoft Edge, the shape is submitted, inflicting the collected command output to be exfiltrated to the distant webhook endpoint with out person interplay,” LAB52 stated. “This browser-based exfiltration method leverages commonplace HTML performance to transmit information whereas minimizing detectable artifacts on disk.”
“This marketing campaign proves that simplicity could be highly effective. The attacker makes use of very fundamental instruments (batch recordsdata, tiny VBS launchers and easy HTML) however arranges them with care to maximise stealth: Transferring operations into hidden or off-screen browser periods, cleansing up artifacts, and outsourcing each payload supply and information exfiltration to broadly used webhook providers.”
