APT28 Deploys Macro Malware in Browser-Based Exfiltration Operation Targeting Europe
Published
Key Takeaways
- Campaign Name: The cyber espionage campaign, dubbed "Operation MacroMaze," was active from September 2025 to January 2026.
- Threat Actor: The attacks are attributed to APT28, a Russian state-sponsored threat group linked to the Russian GRU’s 85th Main Special Service Center (Unit 26165).
- Attack Vector: The campaign used malicious documents with embedded macros that leveraged a public webhook service to exfiltrate data.
The APT28 advanced persistent threat (APT) group has been identified as the actor behind a recent cyberespionage campaign targeting entities across Europe. In a series of attacks dubbed Operation MacroMaze, a novel APT28 macro malware was deployed via embedding in Microsoft Office documents.
The campaign, which ran from September 2025 through January 2026, showcases a tactical evolution by using a legitimate third-party service for command-and-control (C2) communications and data exfiltration, thereby complicating detection and attribution efforts.
Analysis of Webhook-Based Attacks
APT28, also known as Fancy Bear or Forest Blizzard, relied on social engineering, delivering weaponized phishing documents with various lures to targets in Western and Central Europe. Lab52, the threat intelligence division of S2 Grupo, identified multiple documents with four slightly different macro variants.
All macros were designed to establish a foothold on the victim’s machine by dropping six files, including scripting files (VBS, BAT, and CMD) and HTML-wrapped exfiltration files (HTM and XHTML), then running one of the VBScript files to initiate the next stage.
“The scripts show an evolution in evasion techniques, ranging from 'headless' browser execution in the older version to keyboard simulation (SendKeys) in the newer versions,” the report added.
Instead of establishing a direct connection to a traditional C2 server, the malware leveraged webhook[.]site, a legitimate online service used for testing and inspecting HTTP requests. This use of webhook-based attacks allowed the malware to send stolen system information and other sensitive data as POST requests.
One of these lures, specifically used for spear-phishing, claimed to be an agenda issued by the Ministry of the Presidency, Justice, and Relations with the Courts of Spain in 2025. “It’s a deliberately crafted and modified document that reproduces content from the agenda resolutions published on the official La Moncloa website on September 23, 2025,” researchers said.
Implications for European Cybersecurity Threats
The strategic use of legitimate online services as a C2 channel is a growing concern for cybersecurity professionals. This campaign demonstrates how sophisticated threat actors like APT28 continue to adapt their tradecraft to circumvent conventional security measures.
For organizations, this underscores the critical need for:
- robust endpoint security,
- user training on the dangers of enabling macros from untrusted sources,
- advanced network traffic analysis capable of identifying anomalous patterns, even when they involve legitimate services.
In May 2025, cybersecurity authorities across several countries warned of an intensifying APT28 campaign against Western firms that gathered intel on Ukraine Aid. This month, the RedKitten cyberespionage campaign was observed leveraging a sophisticated C2 implant delivered via macro-enabled Excel spreadsheets.
Tactics, Techniques, and Procedures (TTPs) overlap with the APT28 2024 CERT Polska report on a large-scale malware campaign targeting Polish government institutions and the 2023 CERT-UA report on a targeted cyberattack against a critical energy infrastructure facility in Ukraine.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular