Background

The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe. The activity, per S2 Grupo's LAB52 threat intelligence team, was active between September 2025 and January 2026. It has been codenamed Operation MacroMaze.

Key Findings

• The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration.

• The attack chains employ spear-phishing emails as a starting point to distribute lure documents that contain a common structural element within their XML, a field named "INCLUDEPICTURE" that points to a webhook[.]site URL that hosts a JPG image.

• This mechanism acts as a beaconing mechanism akin to a tracking pixel that triggers an outbound HTTP request to the webhook[.]site URL upon opening the document.

• The macro is designed to execute a Visual Basic Script (VBScript) to move the infection to the next stage, which establishes persistence via scheduled tasks and launches a batch script for rendering a small Base64-encoded HTML payload in Microsoft Edge in headless mode to evade detection.

• A second variant of the batch script has been found to eschew headless execution in favor of moving the browser window off-screen, followed by aggressively terminating all other Edge browser processes to ensure a controlled environment.

• The browser-based exfiltration technique leverages standard HTML functionality to transmit data while minimizing detectable artifacts on disk.

MITRE ATT&CK Techniques

• T1059.005 - Command and Scripting Interpreter: Visual Basic

• T1053.005 - Scheduled Task/Job: Scheduled Task

• T1218.005 - Signed Binary Proxy Execution: Mshta

• T1204.002 - User Execution: Malicious File

IOCs Mentioned

• webhook[.]site

Sources

• https://thehackernews.com/2026/02/apt28-targeted-european-entities-using.html

• https://www.socdefenders.ai/item/3e8113e4-98f4-4c3b-8834-c6c0de7618ee

• https://www.linkedin.com/posts/cyber-news-live_apt28-targeted-european-entities-using-webhook-based-activity-7431915921801211904-kQLd

• https://x.com/Dinosn/status/2026144611249336767