Operation MacroMaze: APT28's Webhook-Based Macro Malware Campaign
In a recent campaign, the Russia-linked Advanced Persistent Threat (APT) group APT28, also known as UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, targeted select entities in Western and Central Europe from September 2025 to January 2026. The campaign employed a webhook-based macro malware strategy, leveraging simple tools and legitimate services for infrastructure and data exfiltration. In this article, we will delve into the details of Operation MacroMaze, exploring how APT28 exploited webhooks to conduct covert data exfiltration.
The attack chain of Operation MacroMaze begins with spear-phishing emails delivering weaponized documents that contain an “INCLUDEPICTURE” field pointing to a webhook[.]site URL hosting a JPG. This structural element is shared among all analyzed documents, which instructs Microsoft Word to retrieve an external image resource when the field is evaluated. When the document is opened and fields are updated, an outbound HTTP request is generated to the remote server, allowing attackers to log metadata associated with the request. This behavior functions as a tracking mechanism, confirming that the document has been viewed.
When opened, the file silently retrieves the image, acting like a tracking pixel that alerts attackers the document was viewed. Variants seen between September 2025 and January 2026 use modified macros to drop malware and deploy additional payloads on compromised systems. Researchers identified four closely related macro variants acting as droppers, each dropping six files (VBS, BAT, CMD, HTM, XHTML) into the %USERPROFILE% folder using GUID-like names tied to a webhook[.]site C2 path.
The attackers used heavy string concatenation to hide key commands. The macro launches a VBScript that triggers multi-stage execution, creates a Scheduled Task for persistence, then deletes traces. Over time, the variants evolved from simple document cleanup to fake Word error messages and SendKeys-based UI manipulation to bypass security prompts. Two batch versions follow: one uses Edge in headless mode for stealth, while the other hides the browser off-screen and forcefully kills processes for reliability.
The final HTML file is constructed by concatenating a static HTM file, the captured output of the reconstructed CMD payload, and a closing XHTML template. The initial HTM file defines an auto-submitting form that sends a POST request to a webhook[.]site endpoint, while the payload output is embedded directly within an element. When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction.
Although the specific command file used to gather system data was not recovered, similar operations previously attributed to APT28 suggest this stage likely deploys a lightweight reconnaissance script, collecting basic host details such as IP address, directory listings, and system environment information before exfiltration. This campaign proves that simplicity can be powerful, using basic tools but arranging them with care to maximize stealth.
The APT28 group has been active since at least 2007 and has targeted governments, militaries, and security organizations worldwide. The group was involved in the string of attacks that targeted the 2016 Presidential election. The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
In conclusion, Operation MacroMaze demonstrates the APT28 group's ability to exploit webhooks for covert data exfiltration. By leveraging simple tools and legitimate services, APT28 was able to conduct a sophisticated campaign that utilized browser-based exfiltration methods to send stolen data while leaving minimal traces on disk. As threat actors continue to evolve their tactics, it is essential to remain vigilant and monitor for signs of similar campaigns.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon