RUSSIA-LINKED APT28 (aka UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, STRONTIUM) launched Operation MacroMaze, targeting select entities in Western and Central Europe from September 2025 to January 2026, using webhook-based macro malware for data exfiltration and infrastructure.
The campaign begins with spear-phishing emails delivering weaponised documents that contain an INCLUDEPICTURE field referencing a remote URL hosted on webhook[.]site, which acts as a tracking mechanism when the document is opened. Four closely related macro variants act as droppers, dropping six files into the %USERPROFILE% folder and using a multi-stage VBScript to create a Scheduled Task for persistence while hiding traces.
The final HTML file submits a POST request to the webhook[.]site endpoint when rendered by Microsoft Edge, exfiltrating command output embedded in the page without user interaction. The operation relies on simple, low-tech tooling—batch files, tiny VBS launchers and basic HTML—arranged to maximise stealth, with attribution of past activity to APT28 by CERT Polska and the Computer Emergency Response Team of Ukraine, according to the report.
Researchers note the attack chain evolved to include fake Word error messages and UI manipulation to bypass prompts, complicating detection and attribution.