The Russia-linked state-sponsored menace actor tracked as APT28 has been attributed to a brand new marketing campaign focusing on particular entities in Western and Central Europe.
The exercise, per S2 Grupo’s LAB52 menace intelligence staff, was lively between September 2025 and January 2026. It has been codenamed Operation MacroMaze. “The marketing campaign depends on fundamental tooling and the exploitation of official providers for infrastructure and information exfiltration,” the cybersecurity firm stated.
The assault chains make use of spear-phishing emails as a place to begin to distribute lure paperwork that comprise a standard structural component inside their XML, a area named “INCLUDEPICTURE” that factors to a webhook[.]website URL that hosts a JPG picture. This, in flip, causes the picture file to be fetched from the distant server when the doc is opened.
Put in a different way, this mechanism acts as a beaconing mechanism akin to a monitoring pixel that triggers an outbound HTTP request to the webhook[.]website URL upon opening the doc. The server operator can log metadata related to the request, confirming that the doc was certainly opened by the recipient.
LAB52 stated it recognized a number of paperwork with barely tweaked macros between late September 2025 and January 2026, all of which operate as a dropper to ascertain a foothold on the compromised host and ship further payloads.
“Whereas the core logic of all of the macros detected stays constant, the scripts present an evolution in evasion methods, starting from ‘headless’ browser execution within the older model to using keyboard simulation (SendKeys) within the newer variations to probably bypass safety prompts,” the Spanish cybersecurity firm defined.
The macro is designed to execute a Visible Primary Script (VBScript) to maneuver the an infection to the subsequent stage. The script, for its half, runs a CMD file to ascertain persistence through scheduled duties and launch a batch script for rendering a small Base64-encoded HTML payload in Microsoft Edge in headless mode to evade detection, retrieve a command from the webhook[.]website endpoint, execute it, seize its out, and exfiltrate it to a different webhook[.]website occasion within the type of an HTML file.
A second variant of the batch script has been discovered to eschew headless execution in favor of shifting the browser window off-screen, adopted by aggressively terminating all different Edge browser processes to make sure a managed atmosphere.
“When the ensuing HTML file is rendered by Microsoft Edge, the shape is submitted, inflicting the collected command output to be exfiltrated to the distant webhook endpoint with out consumer interplay,” LAB52 stated. “This browser-based exfiltration approach leverages normal HTML performance to transmit information whereas minimizing detectable artifacts on disk.”
“This marketing campaign proves that simplicity could be highly effective. The attacker makes use of very fundamental instruments (batch recordsdata, tiny VBS launchers and easy HTML) however arranges them with care to maximise stealth: Transferring operations into hidden or off-screen browser classes, cleansing up artifacts, and outsourcing each payload supply and information exfiltration to broadly used webhook providers.”
