A targeted cyberespionage campaign called Operation MacroMaze, attributed to Russian state-sponsored APT28, has been active since late September 2025 and targets government entities in Western and Central Europe using decoy Spanish government documents. The operation uses simple “living off the land” techniques—malicious macros, VBScript and headless Microsoft Edge—to track document openings via an INCLUDEPICTURE webhook and exfiltrate data to Webhook.site while avoiding long-term persistence. #APT28 #OperationMacroMaze
Keypoints
- Operation MacroMaze targets Western and Central European government entities with decoy documents impersonating the Spanish government.
- Spear-phishing Word documents include an INCLUDEPICTURE field that references webhook[.]site to detect when victims open the file.
- Malicious macros drop VBScript, batch files, and HTML snippets and rely on standard Windows tools instead of custom malware.
- The campaign uses headless Microsoft Edge (sometimes moved off-screen) to silently download payloads and exfiltrate data to Webhook.site.
- Operators favor brief, low-visibility intrusions with ephemeral infrastructure and self-cleaning behavior focused on rapid information gathering.
Read More: https://securityonline.info/hiding-in-plain-sight-apt28s-operation-macromaze-hits-european-govs/