Organizations in Western and Central Europe have been targeted by Russian state-backed threat operation APT28 with webhook-based macro malware as part of the Operation MacroMaze attack campaign that ran between September 2025 and January 2026, The Hacker News reports.Intrusions commenced with the delivery of spear-phishing emails with documents, whose XMLs' "INCLUDEPICTURE" field diverted to a JPG-hosting webhook[.]site URL, an analysis from S2 Grupo's LAB52 threat intelligence team revealed. Macros used in APT28's campaign have been slightly altered throughout the campaign, with newer iterations discovered to have weaponized keyboard simulation instead of headless browser execution in a bid to circumvent detection."The attacker uses very basic tools (batch files, tiny VBS launchers and simple HTML) but arranges them with care to maximise stealth: Moving operations into hidden or off-screen browser sessions, cleaning up artifacts, and outsourcing both payload delivery and data exfiltration to widely used webhook services," said researchers.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds