APT28 Targets European Organizations with Webhook-Based Macro Malware

Researchers at S2 Grupo’s LAB52 have attributed a spear-phishing campaign dubbed “Operation MacroMaze” to the Russia-linked threat group APT28. Active between September 2025 and January 2026, the campaign targeted organizations across Western and Central Europe using a minimalist yet stealthy macro-based infection chain.

The operation demonstrates how simple tooling combined with clever infrastructure choices can evade detection while maintaining effective command-and-control (C2) capabilities.

Webhook-Based Beaconing via INCLUDEPICTURE

The attack begins with lure documents containing a malicious macro that abuses the INCLUDEPICTURE field in Microsoft Office. This field references a remote resource hosted on webhook[.]site, effectively creating a lightweight beacon when the document is opened.

This technique allows attackers to confirm document execution and track victims without immediately deploying heavier payloads.

Simple but Effective Toolchain

Operation MacroMaze relies on a straightforward VBScript, CMD, and HTML-based execution chain. Instead of deploying complex custom malware, the attackers leverage built-in Windows components to:

• Launch hidden or off-screen Microsoft Edge sessions
• Retrieve attacker-issued commands from webhook endpoints
• Execute commands locally
• Exfiltrate output back to the webhook infrastructure

This “living-off-the-land” approach reduces reliance on overt malware binaries and minimizes forensic artifacts.

Stealth Through Legitimate Services

By using webhook-based infrastructure and legitimate browser processes, the campaign blends malicious traffic with normal web activity. Because webhook services are commonly used for development and testing, outbound connections may not immediately raise suspicion.

Running Edge in hidden or off-screen mode further conceals the attack from user awareness.

Target Scope

The campaign focused on government entities and organizations in Western and Central Europe. APT28 has historically targeted political institutions, defense organizations, and strategic industries aligned with geopolitical objectives.

The timeline and targeting align with the group’s known operational patterns.

Minimalist Malware, Maximum Impact

Operation MacroMaze illustrates that sophisticated outcomes do not always require complex malware frameworks. Instead, attackers combined:

• Macro-enabled lure documents
• Built-in scripting engines
• Legitimate browser automation
• Public webhook infrastructure

This modular and lightweight strategy reduces detection opportunities while maintaining flexible C2 control.

Defensive Recommendations

Organizations should:

• Disable Office macros where not strictly required
• Monitor for abnormal INCLUDEPICTURE field usage in documents
• Restrict or inspect outbound connections to webhook services
• Audit hidden browser processes launched via scripts
• Implement behavioral detection for unusual Edge automation activity

Evolving Macro Tradecraft

While macro-based attacks are not new, Operation MacroMaze demonstrates how threat actors continue refining stealth techniques using legitimate services and built-in tools. The campaign reinforces the need for layered defenses that combine macro controls, endpoint monitoring, and network visibility.