New Cyberattack Campaign: Operation MacroMaze Targeting Europe
Overview of the Current Threat
A noteworthy surge in cyberattacks has emerged, attributed to APT28, a threat actor believed to be linked to the Russian state. This recent campaign, named Operation MacroMaze, specifically targets entities across Western and Central Europe. According to S2 Grupo’s LAB52 threat intelligence team, this operation has been active from September 2025 through January 2026, showcasing a sophisticated yet simplistic approach in its execution.
Methodology Behind the Attack
Operation MacroMaze relies heavily on leveraging existing services and basic tools for its infrastructure and data exfiltration efforts. The initial vector of the attack often involves spear-phishing emails, which contain embedded documents designed to lure unsuspecting recipients.
These lure documents utilize a unique structural feature within their XML—a field titled “INCLUDEPICTURE”. This inclusion points to a URL hosted on a webhook[.]site, ultimately causing a JPG image to be fetched from a remote server when the document is opened. Effectively, this mechanism acts like a tracking pixel, sending an HTTP request back to the server, enabling operators to log metadata and confirm the document’s actual opening by the recipient.
Evolution of Attack Strategies
Throughout the duration of the campaign, LAB52 identified multiple documents featuring slight variations in their macros. These macros serve as droppers, establishing a foothold on the infected machines and delivering further payloads. Despite retaining a consistent core logic, the scripts exhibited a notable evolution in their evasion techniques.
The earlier versions employed ‘headless’ browser execution, while more recent iterations have shifted toward using keyboard simulation (via the SendKeys command) to navigate past security prompts. This adaptation illustrates a keen understanding of technological defenses and the need for stealth in their operations.
Technical Breakdown of the Infection Process
The macro’s primary function is to execute a Visual Basic Script (VBScript) that pushes the infection further along its intended path. This script swiftly runs a CMD file, establishing persistence through scheduled tasks and launching a batch script. The batch script, in a headless mode, renders a small Base64-encoded HTML payload in Microsoft Edge, seeking to avoid detection.
Upon execution, the script retrieves commands from the webhook[.]site endpoint. The data captured from this process is subsequently exfiltrated back to another instance of the webhook[.]site as an HTML file. This layered approach not only streamlines the attack process but also ensures a minimal digital footprint, making it difficult for cybersecurity measures to detect.
Variants of Exfiltration Techniques
A second variant of the batch script avoids headless execution in favor of moving the browser window off-screen. This tactic is complemented by aggressive termination of other Microsoft Edge processes to create a controlled and clean environment. As a result, when the HTML file is rendered in Edge, the data submission occurs seamlessly, transmitting the collected command output to the remote endpoint without requiring any user interaction.
LAB52 emphasizes that this method highlights a clever usage of standard HTML functionalities for data transmission while minimizing observable artifacts on a user’s system. By outsourcing payload delivery and data exfiltration to widely employed webhook services, the attackers amplify their stealth and efficiency.
Conclusion: The Power of Simplicity
This campaign serves as a poignant reminder that even the simplest tools—like batch files, small VBS launchers, and straightforward HTML—can be employed effectively when thoughtfully orchestrated. The combination of these elementary components, arranged meticulously to maximize stealth, underscores the evolving nature of cyber threats. As cybersecurity continues to advance, so too do the tactics of those seeking to exploit vulnerabilities, emphasizing the need for ongoing vigilance and adaptation in defense strategies.
