ALL POSTS

Key Findings Russia-linked APT28 targeted European entities with a webhook-based macro malware campaign called Operation MacroMaze from September 2025 to January 2026. The campaign used spear-phishing emails delivering weaponized documents with an "INCLUDEPICTURE" field pointing to a webhook[.]site URL hosting a JPG. When opened, the file silently retrieves the image, acting as a tracking pixel to alert attackers the document was viewed. Variants dropped modified macros that

Background The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe. The activity, per S2 Grupo's LAB52 threat intelligence team, was active between September 2025 and January 2026. It has been codenamed Operation MacroMaze. Key Findings The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration. The attack chain