A new campaign targeting particular entities in Western and Central Europe has been linked to the Russia-affiliated state-sponsored threat actor known as APT28. According to the LAB52 threat intelligence team at S2 Grupo, the activity took place between September 2025 and January 2026. Operation MacroMaze is the code name for it.

According to the cybersecurity firm, "The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration." The attack chains use spear-phishing emails as a starting point to disseminate lure documents with a common structural element in their XML, a field called "INCLUDEPICTURE" that points to a webhook[. ]site URL hosting a JPG image. Consequently, when the document is opened, the image file is retrieved from the distant server.

In other words, when the document is opened, this mechanism functions as a beaconing mechanism similar to a tracking pixel that initiates an outbound HTTP request to the webhook[. ]site URL. In order to verify that the recipient actually opened the document, the server operator can log the metadata related to the request.

According to LAB52, between late September 2025 and January 2026, it discovered several documents with slightly altered macros that all serve as droppers to gain access to the compromised host and deliver more payloads.

"The scripts demonstrate an evolution in evasion techniques, ranging from 'headless' browser execution in the older version to the use of keyboard simulation (SendKeys) in the newer versions to potentially bypass security prompts," the cybersecurity firm from Spain explained, adding that "the core logic of all the macros detected remains consistent." In order to advance the infection to the next stage, the macro is intended to run a Visual Basic Script (VBScript).

For its part, the script launches a batch script to render a small Base64-encoded HTML payload in Microsoft Edge in headless mode to avoid detection, retrieves a command from the webhook[. ]site endpoint, executes it, captures its output, and exfiltrates it to another webhook[. ]site instance in the form of an HTML file.

It also runs a CMD file to establish persistence via scheduled tasks. In order to maintain a controlled environment, a second version of the batch script has been discovered that foregoes headless execution in favor of dragging the browser window off-screen and then forcefully ending all other Edge browser processes.

According to LAB52, "the form is submitted when the resulting HTML file is rendered by Microsoft Edge, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction." "This browser-based exfiltration technique minimizes detectable artifacts on disk while transmitting data by utilizing standard HTML functionality." "This campaign demonstrates the power of simplicity.

The attacker employs very basic tools (batch files, small VBS launchers, and basic HTML), but they are carefully arranged to maximize stealth: shifting operations into off-screen or hidden browser sessions, clearing out artifacts, and contracting with popular webhook services for both payload delivery and data exfiltration."