Executive Summary

Between late 2025 and early 2026, the Russian state-sponsored threat group APT28 (also known as Fancy Bear, STRONTIUM, Sofacy, and Sednit) orchestrated a sophisticated spear-phishing campaign targeting governmental, diplomatic, and critical infrastructure organizations across Western and Central Europe. This operation, widely referred to as Operation MacroMaze, leveraged macro-enabled Microsoft Office documents that exploited webhook-based infrastructure for command-and-control (C2) and data exfiltration. The campaign’s technical novelty lies in its abuse of legitimate webhook services, such as webhook[.]site, and its multi-stage macro payloads that evade traditional detection mechanisms. The threat underscores the persistent evolution of state-sponsored adversaries and the urgent need for robust detection, response, and user awareness strategies.

Threat Actor Profile

APT28 is a highly resourced, Russian military intelligence (GRU) cyber-espionage group, active since at least 2007. The group is attributed to Russia’s Main Intelligence Directorate (GRU), specifically military unit 26165, and is known for targeting NATO governments, defense contractors, media, and critical infrastructure. APT28 is characterized by its rapid adoption of new TTPs (tactics, techniques, and procedures), use of zero-day vulnerabilities, and preference for leveraging native OS tools and legitimate services to evade detection. The group’s campaigns are typically aligned with Russian geopolitical interests, and their operations are marked by technical sophistication, operational security, and a focus on stealthy, persistent access.

Technical Analysis of Malware/TTPs

The initial infection vector in Operation MacroMaze was spear-phishing emails containing malicious Microsoft Office documents. These documents embedded an INCLUDEPICTURE XML field referencing an external webhook[.]site URL, masquerading as a benign JPG image. When the document was opened, Microsoft Office fetched the image, causing the endpoint to beacon to the attacker’s webhook, confirming successful delivery and opening (a tracking pixel technique).

The macro payloads evolved over the campaign. Early variants used headless browser automation to execute payloads, while later versions employed keyboard simulation via the SendKeys method to bypass security prompts and sandbox restrictions. The macro executed a VBScript, which in turn launched a CMD file. This CMD file established persistence by creating a Scheduled Task and then executed a batch script. The batch script rendered a Base64-encoded HTML payload in Microsoft Edge (in headless or off-screen mode), which connected to the attacker’s webhook endpoint to retrieve further commands.

Command execution and output collection were performed within the browser context, minimizing disk artifacts and leveraging trusted system binaries. Exfiltration was achieved by submitting the output as an HTML form to another webhook endpoint, again using browser automation to blend with legitimate traffic. The use of scheduled tasks ensured persistence, and the malware included routines for artifact cleanup to reduce forensic footprints.

The infrastructure relied heavily on legitimate webhook services, such as webhook[.]site, for both C2 and exfiltration, complicating detection and blocking efforts. The campaign’s reliance on native scripting (VBScript, CMD, batch files) and browser-based automation allowed it to evade many endpoint security solutions that focus on traditional malware binaries.

Exploitation in the Wild

Operation MacroMaze was observed targeting government ministries, diplomatic missions, and critical infrastructure operators in countries including Poland, Ukraine, Germany, and France. The campaign was tracked by multiple threat intelligence teams, including S2 Grupo LAB52, CERT Polska, and CERT-UA. Victims received highly tailored spear-phishing emails, often referencing current events or official correspondence to increase credibility.

The attackers demonstrated rapid iteration of their macro payloads in response to evolving security controls, such as Microsoft’s tightening of macro execution policies. The use of multi-stage droppers (VBScript, BAT, CMD, HTM, XHTML) and scheduled tasks for persistence was consistent across observed incidents. The campaign’s use of HTML-based exfiltration via auto-submitting forms in Microsoft Edge was particularly effective at evading network-based detection, as the traffic closely resembled legitimate user activity.

Attribution to APT28 is supported by infrastructure overlaps, TTP similarities to previous campaigns, and geopolitical targeting consistent with Russian state interests. The operation’s technical details were publicly reported by The Hacker News, Security Affairs, and S2 Grupo LAB52.

Victimology and Targeting

The primary targets of Operation MacroMaze were government agencies, diplomatic missions, and critical infrastructure organizations in Western and Central Europe. Notably, entities in Poland and Ukraine were among the first to be targeted, with subsequent waves affecting Germany, France, and other EU member states. The campaign’s targeting aligns with APT28’s historical focus on organizations involved in NATO, EU policy, and regional security.

The spear-phishing lures were highly customized, often referencing ongoing diplomatic initiatives, policy documents, or urgent security advisories. The attackers demonstrated a deep understanding of their targets’ operational context, increasing the likelihood of successful compromise. The use of legitimate webhook services for C2 and exfiltration further complicated attribution and response, as these services are widely used for benign purposes in enterprise environments.

Mitigation and Countermeasures

Organizations should immediately review and update their security controls in light of the TTPs observed in Operation MacroMaze. Key mitigation steps include applying all relevant Microsoft Office security updates, particularly those addressing macro execution and external content fetching vulnerabilities. Outbound connections to known webhook services, such as webhook[.]site, should be blocked or closely monitored at the firewall and proxy level.

Security teams should implement detection rules for Office documents containing INCLUDEPICTURE fields referencing external URLs, as well as for the creation of scheduled tasks with suspicious parameters. Endpoint monitoring should be enhanced to detect unusual Microsoft Edge processes, especially those running in headless or off-screen modes. Strict macro execution policies should be enforced, and user awareness training should be conducted to help staff recognize spear-phishing attempts.

Regular audits of scheduled tasks and user profile directories for unauthorized scripts are recommended. Network monitoring should focus on identifying anomalous HTTP/HTTPS traffic to webhook services and other atypical destinations. Where possible, organizations should leverage advanced threat intelligence feeds to stay informed of evolving APT28 infrastructure and TTPs.

References

The Hacker News: APT28 Targeted European Entities Using Webhook-Based Macro Malware, Security Affairs: Operation MacroMaze, S2 Grupo LAB52 Threat Intelligence, MITRE ATT&CK: APT28, NVD CVE-2026-21509, Microsoft Security Advisory, CISA KEV Catalog.

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our platform leverages real-time intelligence, automated workflows, and deep analytics to provide actionable insights and strengthen your organization’s security posture. For more information or to discuss how Rescana can help you address emerging threats, we are happy to answer questions at ops@rescana.com.