A technical analysis by S2 Grupo’s LAB52 reported that the Russia-linked actor APT28 carried out a campaign codenamed Operation MacroMaze targeting entities in Western and Central Europe between September 2025 and January 2026, using document-based beaconing and webhook services to confirm document openings and exfiltrate command output.
KEY FACTS
- Incident Operation MacroMaze by APT28
- Timeline Active September 2025 to January 2026
- Initial access Spear-phishing documents using an INCLUDEPICTURE XML field to fetch a JPG from webhook hosts
- Exfiltration Command output sent to webhook endpoints via browser-based HTML forms
The campaign began with spear-phishing emails that delivered lure documents. The documents contained an INCLUDEPICTURE XML field that pointed to a webhook.site URL hosting a JPG. Opening the file triggered an outbound HTTP request that let the server operator log metadata confirming the document was opened.
Macros embedded in the documents acted as droppers to establish a foothold. The macro executed a VBScript which ran a CMD file to create scheduled tasks for persistence and then launched a batch script that rendered a small Base64 encoded HTML payload in Microsoft Edge in headless mode to retrieve commands.
A variant avoided headless mode by moving the browser window off-screen and terminating other Edge processes to gain a controlled environment. When the rendered HTML form was submitted the collected command output was exfiltrated to a webhook endpoint as an HTML file without further user interaction.
The operation used simple tooling such as batch files and small VBScript launchers while outsourcing hosting and data transfer to commonly used webhook services. The campaign showed iterative changes in evasion techniques and did not disclose affected organisations or the scale of data exfiltrated.
WHY IT MATTERS
The case shows that basic scripts and legitimate webhook services can be combined to confirm document opens and exfiltrate command output while leaving few disk artifacts. Organisations should consider monitoring for unexpected outbound requests to webhook hosts and for anomalous browser render activity.