Full Report
The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe. The activity, per S2 Grupo's LAB52 threat intelligence team, was active between September 2025 and January 2026. It has been codenamed Operation MacroMaze. "The campaign relies on basic tooling and the exploitation of legitimate services
Analysis Summary
# Threat Actor: APT28
## Attribution & Identity
* **Primary Identification:** APT28
* **Attribution:** Russia-linked state-sponsored threat actor.
* **Known Aliases/Associations:** N/A (Based on provided text, only APT28 is specified).
## Activity Summary
APT28 is attributed to a new campaign codenamed **Operation MacroMaze**. This campaign was active between September 2025 and January 2026, carried out through spear-phishing emails designed to lure victims into opening documents that trigger macro execution. The operation leverages basic tooling and legitimate services for infrastructure and data exfiltration.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Spear-phishing emails distributing lure documents.
- **Lure Document Mechanism:** Use of the "INCLUDEPICTURE" XML field pointing to a remote URL (webhook[.]site) serving an image, functioning as an outbound beaconing mechanism upon document opening.
- **Persistence:** Establishment of persistence via scheduled tasks using a VBScript launcher.
- **Payload Delivery/Execution:** Execution involves a VBScript launching a CMD file, which in turn launches a batch script.
- **Evasion:** Evolution in evasion techniques observed, including 'headless' browser execution and later use of keyboard simulation (SendKeys).
- **Command and Control (C2):** Retrieval of commands and exfiltration of output via HTTPS requests to webhook[.]site endpoints.
- **Data Exfiltration:** Browser-based exfiltration by rendering a Base64-encoded HTML payload in Microsoft Edge (either headless or with the window moved off-screen) to submit collected command output to the remote webhook endpoint.
- **Tooling:** Reliance on basic/native tooling (batch files, VBS launchers, simple HTML) arranged with care for stealth.
## Targeting
- **Sectors:** Not explicitly detailed, but described as targeting "specific entities."
- **Geography:** Western and Central Europe.
- **Victims:** Specific organizations are not named in the provided text.
## Tools & Infrastructure
- **Malware Families Used:** Custom macros (evolving variants), VBScript, CMD files, and Base64-encoded HTML payloads.
- **Infrastructure (C2, domains, IPs):** Legitimate services, specifically utilizing **webhook[.]site** for beaconing, command retrieval, and data exfiltration.
## Implications
Operation MacroMaze demonstrates APT28's continued strategy of leveraging simplicity and legitimate services for operational security, making defense evasion challenging. The use of basic file types combined with sophisticated document loading tricks (tracking pixel analogs) and browser-based data transfer minimizes reliance on traditional, easily identifiable malware infrastructure.
## Mitigations
- Implement robust email filtering and security gateways to detect spear-phishing and suspicious document attachments.
- Disable or restrict macro execution capabilities (especially for documents from external sources).
- Monitor outbound network traffic for unusual connections to generic, potentially disposable services like webhooks, which are being used for C2 beaconing and data exfiltration.
- Harden endpoint detection and response (EDR) to monitor for chains involving VBScript execution leading to CMD/batch file execution, and suspicious browser automation patterns (headless execution or off-screen window manipulation).