Key Findings Russia-linked APT28 targeted European entities with a webhook-based macro malware campaign called Operation MacroMaze from September 2025 to January 2026. The campaign used spear-phishing emails delivering weaponized documents with an "INCLUDEPICTURE" field pointing to a webhook[.]site URL hosting a JPG. When opened, the file silently retrieves the image, acting as a tracking pixel to alert attackers the document was viewed. Variants dropped modified macros that
