APT28 Targets European Entities with Webhook-Based Macro Malware Attacks
Russian-Linked APT28 Targets European Entities with Webhook-Based Macro Malware
A recently uncovered campaign, dubbed Operation MacroMaze, has been attributed to the Russia-linked advanced persistent threat (APT) group APT28. The operation, which took place between September 2025 and January 2026, involved the use of webhook-based macro malware to target European entities.
Attack Vector and Techniques
According to S2 Grupo’s LAB52 threat intelligence team, the attackers employed spear-phishing emails as the initial attack vector, distributing lure documents containing a malicious XML field named “INCLUDEPICTURE.” This field pointed to a webhook URL hosting a JPG image, which, when opened, triggered an outbound HTTP request to the webhook URL, effectively acting as a beaconing mechanism.
The attackers used this technique to log metadata associated with the request, confirming that the document had been opened by the recipient.
Evasion Techniques and Payload Delivery
LAB52 identified multiple documents with slightly modified macros, all of which served as droppers to establish a foothold on the compromised host and deliver additional payloads.
The macros demonstrated an evolution in evasion techniques, ranging from “headless” browser execution in older versions to the use of keyboard simulation (SendKeys) in newer versions to potentially bypass security prompts.
The macro executed a Visual Basic Script (VBScript) to move the infection to the next stage, which, in turn, ran a CMD file to establish persistence via scheduled tasks.
Browser-Based Exfiltration Technique
The CMD file launched a batch script to render a small Base64-encoded HTML payload in Microsoft Edge in headless mode, evading detection.
The script retrieved a command from the webhook endpoint, executed it, captured the output, and exfiltrated it to another webhook instance in the form of an HTML file.
A second variant of the batch script was found to eschew headless execution, instead moving the browser window off-screen and aggressively terminating all other Edge browser processes to ensure a controlled environment.
When the resulting HTML file was rendered by Microsoft Edge, the form was submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction.
Conclusion
This browser-based exfiltration technique leveraged standard HTML functionality to transmit data while minimizing detectable artifacts on disk.
The attackers’ use of basic tools, including batch files, tiny VBS launchers, and simple HTML, was arranged with care to maximize stealth.
By moving operations into hidden or off-screen browser sessions, cleaning up artifacts, and outsourcing both payload delivery and data exfiltration to widely used webhook services, the attackers demonstrated that simplicity can be a powerful tool in their arsenal.
About Author
English