Russia-linked APT28 deployed webhook-based macro malware against Western and Central European targets, using evolving evasion techniques and legitimate services for stealthy data exfiltration.
Russia-linked advanced persistent threat group APT28 has been conducting a sophisticated malware campaign targeting government and private organizations across Western and Central Europe. Dubbed Operation MacroMaze by researchers at S2 Grupo's LAB52 threat intelligence team, this activity persisted from September 2025 through January 2026. The campaign demonstrates how threat actors increasingly weaponize legitimate web services to bypass traditional security controls.
Attack Chain Analysis
The infection sequence begins with spear-phishing emails delivering malicious documents. These documents contain a cleverly disguised tracking mechanism within their XML structure: an INCLUDEPICTURE field pointing to a webhook[.]site URL hosting a JPG file.
"When the document is opened, it automatically fetches the image from our server," explained LAB52 analysts. "This acts like a digital tripwire, confirming document activation while providing metadata about the victim's environment."
Once activated, embedded macros serve as droppers for subsequent payloads. Researchers observed notable evolution in evasion techniques:
- Early versions used headless browser execution to avoid detection
- Later variants employed
SendKeyskeyboard simulation to bypass security prompts - Final iterations moved browser windows off-screen while terminating other Edge processes to create controlled environments
Multi-Stage Payload Delivery
The macro executes a Visual Basic Script (VBS) that initiates a chain of events:
- Creates persistence via scheduled tasks
- Runs batch scripts decoding Base64 HTML payloads
- Renders payloads in Microsoft Edge (headless or off-screen)
- Retrieves commands from webhook[.]site endpoints
- Executes commands and exfiltrates results via HTML form submissions
"This browser-based exfiltration is particularly effective," LAB52 noted. "By submitting data through HTML forms to legitimate webhook services, attackers minimize disk artifacts while blending with normal traffic."
Expert Analysis: The Power of Simplicity
LAB52 emphasized the campaign's strategic minimalism: "Operation MacroMaze proves basic tools arranged cleverly can defeat complex defenses. The attacker combines batch files, tiny VBS launchers, and simple HTML while outsourcing payload delivery and exfiltration to common web services."
Key effectiveness factors include:
- Legitimate infrastructure abuse: Using webhook[.]site avoids blacklisted C2 servers
- Living-off-the-land: Native tools like Edge and task scheduler reduce malware footprint
- Progressive evasion: Continuous technique refinement counters detection improvements
Practical Defense Recommendations
Organizations should implement these protective measures:
- Macro Execution Controls: Block macros in documents from external sources via Group Policy
- Webhook Service Monitoring: Detect traffic to services like webhook[.]site in network logs
- Browser Hardening: Restrict headless browser execution and monitor off-screen window activity
- Endpoint Behavior Analysis: Use EDR solutions to detect scheduled task creation and process termination patterns
- Email Security: Implement advanced phishing detection for malicious document attributes
"This campaign shows why defense-in-depth matters," LAB52 concluded. "When attackers combine legitimate services with native system tools, signature-based detection fails. Security teams must focus on behavioral anomalies across email, endpoint, and network layers."
For technical details on macro analysis, Microsoft provides documentation on Office macro security. The Cybersecurity and Infrastructure Security Agency (CISA) offers guidance on APT28 mitigation strategies for critical infrastructure organizations.
Comments
Please log in or register to join the discussion