APT28’s Operation MacroMaze: Unveiling the Webhook-Based Macro Malware Targeting Europe
Between September 2025 and January 2026, the Russian state-sponsored cyber espionage group known as APT28, or Fancy Bear, orchestrated a sophisticated campaign dubbed Operation MacroMaze. This operation targeted entities across Western and Central Europe, employing advanced spear-phishing techniques and leveraging legitimate services to enhance stealth and efficacy.
Spear-Phishing Tactics and Initial Compromise
The campaign commenced with meticulously crafted spear-phishing emails designed to deceive recipients into opening malicious documents. These documents contained a specific XML element, INCLUDEPICTURE, which referenced a URL hosted on webhook[.]site, pointing to a JPG image. Upon opening the document, the image was fetched from the remote server, triggering an outbound HTTP request. This mechanism functioned similarly to a tracking pixel, allowing the attackers to confirm when a document was accessed and to gather metadata about the recipient’s environment.
Evolution of Macro Techniques
LAB52, the threat intelligence team at S2 Grupo, identified multiple iterations of these malicious documents over the campaign’s duration. While the core functionality of the embedded macros remained consistent—serving as droppers to establish initial access and deliver additional payloads—the scripts exhibited an evolution in evasion techniques:
– Headless Browser Execution: Earlier versions utilized headless browser sessions to execute malicious code without displaying a user interface, thereby reducing the likelihood of detection.
– Keyboard Simulation (SendKeys): Later versions adopted keyboard simulation methods to interact with system prompts, potentially bypassing security warnings and enhancing the malware’s ability to execute without user intervention.
Multi-Stage Infection Process
The infection chain was meticulously designed to maintain persistence and evade detection:
1. Macro Execution: Upon opening the malicious document, the embedded macro executed a Visual Basic Script (VBScript).
2. VBScript Actions: The VBScript launched a CMD file responsible for establishing persistence through scheduled tasks and initiating a batch script.
3. Batch Script Operations: The batch script rendered a Base64-encoded HTML payload within Microsoft Edge in headless mode. This approach aimed to:
– Retrieve Commands: Fetch commands from the webhook[.]site endpoint.
– Execute Commands: Run the retrieved commands on the compromised system.
– Capture Output: Collect the output of the executed commands.
– Exfiltrate Data: Send the captured data back to another webhook[.]site instance in the form of an HTML file.
Advanced Evasion Techniques
A notable variant of the batch script avoided headless execution by:
– Off-Screen Browser Windows: Moving the browser window off-screen to perform malicious activities without user awareness.
– Process Control: Aggressively terminating all other Edge browser processes to ensure a controlled environment for executing malicious code.
This method leveraged standard HTML functionality to transmit data while minimizing detectable artifacts on disk, thereby enhancing the stealth of the operation.
Strategic Use of Legitimate Services
Operation MacroMaze exemplifies how simplicity, when strategically applied, can yield powerful results in cyber espionage:
– Basic Tooling: The attackers utilized fundamental tools such as batch files, minimal VBScript launchers, and simple HTML code.
– Stealth Arrangements: By carefully arranging these tools, the attackers maximized stealth through:
– Hidden or Off-Screen Browser Sessions: Executing operations in concealed browser sessions to avoid user detection.
– Artifact Cleanup: Ensuring minimal residual data on the compromised system to evade forensic analysis.
– Outsourcing Infrastructure: Utilizing widely used webhook services for payload delivery and data exfiltration, blending malicious traffic with legitimate network activity.
Implications and Recommendations
The Operation MacroMaze campaign underscores the evolving tactics of state-sponsored threat actors like APT28, who continuously adapt their methods to exploit legitimate services and enhance the stealth of their operations. Organizations, particularly those in Western and Central Europe, should remain vigilant and implement comprehensive security measures to defend against such sophisticated threats.
