S2 Grupoβs LAB52 attributes a spear-phishing campaign dubbed Operation MacroMaze to Russia-linked APT28, active from September 2025 to January 2026 and targeting organizations in Western and Central Europe. The campaign uses lure documents with an INCLUDEPICTURE webhook[.]site beacon and a simple VBScript/CMD/HTML toolchain that runs hidden or off-screen Microsoft Edge sessions to retrieve commands and exfiltrate output to webhook endpoints while minimizing artifacts. #APT28 #OperationMacroMaze
Keypoints
- Operation MacroMaze is attributed to APT28 and ran from September 2025 to January 2026 targeting Western and Central Europe.
- Attacks start with spear-phishing documents that use an INCLUDEPICTURE field pointing to webhook[.]site as a beacon.
- Macros act as droppers that execute VBScript and CMD files to establish persistence via scheduled tasks.
- Payloads use hidden or off-screen Microsoft Edge sessions to fetch commands and exfiltrate command output via HTML form submissions to webhook endpoints.
- The campaign leverages simple tools (batch, VBS, HTML) with evolving evasion techniques like headless execution, SendKeys, and process cleanup to reduce detectable artifacts.
Read More: https://thehackernews.com/2026/02/apt28-targeted-european-entities-using.html