Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Apt28's Webhook-Based Macro Malware Campaign: A Threat to European Entities



APT28 has launched a new campaign targeting specific entities in Western and Central Europe with a webhook-based macro malware, using legitimate services for infrastructure and data exfiltration. This campaign, codenamed Operation MacroMaze, is an evolution of evasion techniques by Apt28, utilizing widely used tools and services to deliver payloads and exfiltrate data.

  • Apt28 has launched a new campaign using webhook-based macro malware, targeting Western and Central Europe.
  • The attack uses spear-phishing emails with lure documents containing a common XML field that points to a webhook URL.
  • The mechanism acts as a beaconing system, logging metadata on the recipient's system upon opening the document.
  • The macro malware executes a Visual Basic Script (VBScript) to move infection to the next stage and deliver additional payloads.
  • The attackers use widely used tools and services to deliver payloads and exfiltrate data, making it challenging for security software to detect these threats.



    • The threat landscape continues to evolve, and a recent campaign by the state-sponsored group Apt28 has left cybersecurity experts alarmed. According to S2 Grupo's LAB52 threat intelligence team, the Russian-linked entity has been targeting specific entities in Western and Central Europe with a new webhook-based macro malware campaign.

    Codename Operation MacroMaze, this campaign was active between September 2025 and January 2026, exploiting legitimate services for infrastructure and data exfiltration. The attack chains employ spear-phishing emails as a starting point to distribute lure documents that contain a common structural element within their XML, a field named "INCLUDEPICTURE" that points to a webhook[.]site URL.

    This mechanism acts as a beaconing mechanism akin to a tracking pixel that triggers an outbound HTTP request to the webhook[.]site URL upon opening the document. The server operator can log metadata associated with the request, confirming that the document was indeed opened by the recipient. This technique allows Apt28 to potentially bypass security prompts and inject malware into systems.

    LAB52 identified multiple documents with slightly tweaked macros between late September 2025 and January 2026, all of which function as a dropper to establish a foothold on the compromised host and deliver additional payloads. The core logic of all the macros detected remains consistent; however, the scripts show an evolution in evasion techniques.

    The macro is designed to execute a Visual Basic Script (VBScript) to move the infection to the next stage. This script runs a CMD file to establish persistence via scheduled tasks and launch a batch script for rendering a small Base64-encoded HTML payload in Microsoft Edge in headless mode. The goal of this technique is to evade detection by traditional security software.

    Upon launching the batch script, it retrieves a command from the webhook[.]site endpoint, executes it, captures its output, and exfiltrates it to another webhook[.]site instance in the form of an HTML file. A second variant of the batch script has been found, which eschews headless execution in favor of moving the browser window off-screen, followed by aggressively terminating all other Edge browser processes to ensure a controlled environment.

    When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction. This technique leverages standard HTML functionality to transmit data while minimizing detectable artifacts on disk.

    Apt28's use of webhook services and macros demonstrates a level of sophistication and stealth. The attackers utilize widely used tools and services to deliver payloads and exfiltrate data, making it challenging for security software to detect these threats.

    This campaign highlights the evolving nature of cybersecurity threats. As attackers adapt their tactics and exploit new vulnerabilities, security professionals must stay vigilant and continually update their defenses to counter emerging risks.

    In conclusion, Apt28's Operation MacroMaze is a significant threat to European entities. Its use of webhook-based macro malware underscores the importance of staying informed about emerging threats and updating security protocols accordingly.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Apt28s-Webhook-Based-Macro-Malware-Campaign-A-Threat-to-European-Entities-ehn.shtml

  • https://thehackernews.com/2026/02/apt28-targeted-european-entities-using.html

  • https://cyberwebspider.com/the-hacker-news/apt28-webhook-malware-europe/

  • https://learn.microsoft.com/en-us/defender-endpoint/malware/macro-malware

  • https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-a-macro-virus/

  • https://www.picussecurity.com/resource/blog/apt28-cyber-threat-profile-and-detailed-ttps

  • https://attack.mitre.org/groups/G0007/


    • Published: Mon Feb 23 16:08:51 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us