APT28 (aka Fancy Bear), a Russia-backed state-sponsored actor, has conducted a low-tech but very stealthy phishing operation against several organizations located in Western and Central Europe that began in September 2025 and has continued until January 2026. This phishing campaign has been identified as "Operation MacroMaze" by S2 Grupo's LAB52 team. The attack used low-tech solutions and a variety of legitimate means of supporting its infrastructure and exfiltrating data, illustrating how successful the simple implementation can be when executed with care. **The main components of the campaign:** 1. Phishing email that includes a “lure” document (Word or Excel) which looks like a real business, energy or administrative document, 2. The lure document contains a common XML tag that provides a pointer to a webhook[.] site-hosted JPG image. Once the victim opens the document, a request is sent over HTTP from the victim computer to the attacker controlled webhook, creating a log of metadata relating to the successful delivery and opening of that document (the IP address of the victim computer, user-agent, and date/time) can all be captured in this request 3. When the Victim enables macros the Visual Basic Script (VBS) launcher executes on the target computer 4. VBS → CMD chain: a. Establish persistence by creating scheduled tasks b. Run Microsoft Edge in headless (or off-screen) mode to avoid detection from user c. Fetch a command from webhook[.] site and execute it capturing the output d. Submit results to another webhook endpoint through an auto-submitting HTML form. 5. Evasion evolution , Early variants used headless Edge execution; later ones simulate keyboard input (SendKeys) to bypass prompts and aggressively kill other Edge processes for a clean environment. The entire payload delivery and exfiltration happens in memory or via browser , leaving minimal disk artifacts and leveraging widely used webhook[.]site for both C2 and data staging. **Why It Works** 1. Low detection footprint , No exotic malware; relies on native Windows components (macros, VBS, CMD, Edge). 2. Outsourced infrastructure , webhook[.]site is legitimate and commonly used for debugging → blends into noise. 3. Browser-based exfiltration , Output is submitted via standard HTML form POST , no custom C2 protocols. 4. Clean-up , The use of off-screen execution and headless execution along with terminating processes prevents the appearance of windows or other indications of the execution taking place. LAB52 stated, *"This campaign demonstrates how simplicity can be an advantage in cybercrime since the attacker used very simple tools but took considerable care in organizing them so that they would be able to carry out their actions with minimal visibility."* **Defensive Recommendations** 1. By default, block the use of macros in the Microsoft Office suite by requiring the use of Protected View mode and prohibiting the use of macros from untrusted sources (via Group Policy). 2. Monitor for unexpected outbound traffic to webhook.[site] or similar web services from workstations. 3. Detect anomalous usage of Microsoft Edge , generate alerts on the headless/off-screen launch of Edge from Office applications. 4. Harden scheduled tasks , Ensure that scheduled tasks which run either CMD or VBS scripts are audited for newly created scheduled tasks. 5. User education , Reinforce the message that "never enable macros in unsolicited email." APT28 has shown preference for operations with low complexity and a high degree of stealth against primarily European targets; because of this, APT28 demonstrates that the use of basic techniques, when used in a thoughtful manner, can still be an effective method of compromise even against well-developed security measures. **Source:** [*The Hacker News*](https://thehackernews.com/2026/02/apt28-targeted-european-entities-using.html)
Updated on February 24, 2026