THE Hacker News reports that the Russia‑linked state‑sponsored threat actor tracked as APT28 has been attributed to a new operation named MacroMaze, targeting specific entities in Western and Central Europe. According to LAB52 threat intelligence team, the activity ran from September 2025 to January 2026.
The campaign uses spear‑phishing emails to deliver lure documents with an XML element containing INCLUDEPICTURE that points to a webhook[.]site URL hosting a JPG image, effectively acting as a beacon to trigger an outbound HTTP request when the document is opened. This request allows the server operator to log metadata confirming the document was opened and to establish a foothold on the compromised host, delivering additional payloads via a dropper macro.
LAB52 notes that older macro versions used headless browser execution, while newer versions employ SendKeys keyboard simulation to evade prompts, and that the overall macro chain executes VBScript to move to the next stage, with a CMD file and a batch script rendering a small Base64 HTML payload in Microsoft Edge in headless mode to retrieve commands from the webhook site.
A second variant moves the Edge window off‑screen and terminates other Edge processes to maintain a controlled environment, exfiltrating command outputs back to the webhook[.]site endpoint.