APT28 Operation MacroMaze: Russia-Linked Hackers Hit

Stealthy Webhook Exfiltration Targets European Governments

Researchers have attributed a new espionage campaign to APT28 (also known as Fancy Bear / Sofacy / Forest Blizzard), the Russia-linked state-sponsored threat actor associated with Russia's GRU military intelligence. Dubbed Operation MacroMaze, the campaign ran from September 2025 to January 2026 and targeted government, diplomatic, defense-adjacent, and strategic entities across Western and Central Europe.

The campaign is notable for its use of simple, widely available tools combined with legitimate infrastructure — weaponized Office documents with macro droppers, webhook.site for tracking and C2, and Microsoft Edge running in headless mode to silently exfiltrate data through browser-based channels that blend into normal network traffic.

Campaign Details

How the Attack Worked

Phase 1: Spear-Phishing Delivery

The attack chain begins with spear-phishing emails delivering weaponized Office documents to targeted personnel at government and diplomatic organizations. The documents are crafted with lures relevant to the target's role and sector.

Phase 2: Tracking Pixel Confirmation

Each document contains an INCLUDEPICTURE field pointing to a webhook.site URL hosting a JPG image. When the target opens the document, it silently retrieves the image — functioning as a tracking pixel that alerts the attackers the document was opened, confirming the target engaged with the lure.

This technique serves dual purposes:

• Target validation — Confirms the right person opened the document
• Network reconnaissance — Captures the target's IP address, user agent, and timing information

Phase 3: Macro Dropper Execution

If the target enables macros, one of four closely related macro variants executes as a dropper, deploying six files into the %USERPROFILE% folder. The variants observed between September 2025 and January 2026 show iterative refinement, with each version introducing minor modifications to evade detection while maintaining the core functionality.

Phase 4: Browser-Based Exfiltration

The most distinctive element of Operation MacroMaze is its exfiltration technique. The malware launches Microsoft Edge in headless mode — invisible to the user — to silently communicate with the attackers' infrastructure. This approach offers several advantages:

• Blends into normal traffic — Browser-based HTTPS requests are indistinguishable from legitimate Edge browsing
• Bypasses network monitoring — Most organizations whitelist Microsoft Edge traffic
• Leverages legitimate infrastructure — Webhook.site is a trusted developer tool unlikely to be blocked
• Avoids custom C2 detection — No custom protocol or unusual ports that would trigger alerts

Why This Campaign Matters

Low-Tech, High-Impact

Operation MacroMaze demonstrates that APT28 continues to achieve significant results using basic tools and legitimate services. Rather than deploying custom implants or zero-day exploits, the campaign relies on:

• Office macros — A decades-old attack vector that remains effective
• Batch scripts — Simple automation for persistence and execution
• Legitimate webhook services — Free, trusted infrastructure for C2
• Built-in browser capabilities — Microsoft Edge as an exfiltration tool

This approach minimizes the operational footprint and makes attribution and detection significantly harder.

Persistent European Targeting

APT28 has been one of the most active threat actors targeting European governments and NATO-aligned organizations. Operation MacroMaze continues this pattern, with targets spanning diplomatic missions, defense ministries, and organizations involved in European security policy.

Impact Assessment

Recommendations

For Government and Diplomatic Organizations

1. Block macro execution in Office documents from external sources via Group Policy
2. Monitor webhook.site traffic — Flag or block connections to webhook.site from enterprise endpoints
3. Audit Edge headless mode usage — Look for msedge.exe --headless in process monitoring
4. Inspect %USERPROFILE% for dropped files — Check for unexpected files matching the six-file dropper pattern
5. Implement DMARC and email authentication — Reduce spear-phishing delivery success

For Security Operations Teams

1. Hunt for INCLUDEPICTURE fields in Office documents referencing external URLs
2. Monitor for batch script execution from user profile directories
3. Review browser process trees — Headless Edge spawned by Office macro execution is anomalous
4. Correlate webhook.site connections with document open events
5. Share IOCs with national CERTs and NATO CCDCOE for coordinated defense

Key Takeaways

1. APT28 targeted European governments from September 2025 to January 2026 in Operation MacroMaze
2. Webhook-based tracking pixels confirm target engagement before payload delivery
3. Microsoft Edge headless mode used for stealthy browser-based data exfiltration that blends into normal traffic
4. Four macro dropper variants deployed six files each, showing iterative refinement over the campaign
5. Legitimate infrastructure (webhook.site) used for C2 makes detection and blocking significantly harder
6. Low-tech but effective — No zero-days or custom implants required for government-level espionage

Sources

• Security Affairs — Operation MacroMaze: APT28 Exploits Webhooks for Covert Data Exfiltration
• The Hacker News — APT28 Targeted European Entities Using Webhook-Based Macro Malware
• Lab52 — Operation MacroMaze: New APT28 Campaign Using Basic Tooling and Legit Infrastructure
• Security Online — APT28's Operation MacroMaze Hits European Governments

Related Reading

• APT28 Weaponizes Microsoft Office Zero-Day in 3 Days
• Ex-L3Harris Executive Pleads Guilty to Selling Eight
• All Four Major Nation-State Adversaries Now Weaponizing