Do Son 
A new cyberespionage campaign attributed to the notorious Russian state-sponsored group APT28 (also known as Fancy Bear or Forest Blizzard) has been uncovered targeting government entities in Western and Central Europe. Dubbed “Operation MacroMaze” by researchers at Lab52, the operation relies on a surprisingly simple yet effective toolkit to steal data while evading detection.
Active since late September 2025, the campaign uses decoy documents that mimic official communications from the Spanish government to trick victims into launching the infection chain.
The attack begins with a spear-phishing email containing a malicious Microsoft Word document. One identified sample posed as an official agenda from the Spanish Ministry of the Presidency, Justice and Relations with the Courts, deliberately crafted to look authentic.
Inside the document’s code lies a hidden tracking mechanism. “All analyzed documents share a common structural element within their XML: an INCLUDEPICTURE field referencing a remote URL hosted on webhook[.]site,” the report explains. This allows the attackers to know exactly when a victim has opened the file.
Once the document is opened, malicious macros drop a series of basic files—VBScripts, batch files, and HTML snippets—into the user’s profile. Rather than deploying complex custom malware, APT28 is “living off the land” by using standard Windows tools and legitimate web services.
“The campaign relies on basic tooling and in the exploitation of legitimate services for infrastructure and data exfiltration,” Lab52 researchers note.
The malware uses Microsoft Edge in “headless” mode (invisible to the user) to silently communicate with the attackers. One variant even moves the browser window off-screen (position 10,000, 10,000) to hide its activity while it downloads payloads and exfiltrates data.
The goal of Operation MacroMaze appears to be rapid information gathering rather than long-term persistence. The malware collects system information and exfiltrates it via Webhook.site, a free service often used by developers for testing.
“The operator appears to favour in this campaign brief and low-visibility intrusions over maintaining long-term implants,” the report concludes.
By using ephemeral infrastructure and cleaning up its own files after execution, the campaign makes it incredibly difficult for defenders to track. As Lab52 summarizes: “It’s low-tech executed with high craft, which makes detection and attribution harder than the artifacts alone would suggest”.
Related Posts:
- Claude Gov: Anthropic’s AI Brain for U.S. National Security
- .Gov No More: Government Domains Weaponized in Phishing Surge
- The “PayTool” Trap: Massive Fraud Cluster Impersonates Canada Gov & Air Canada
- AI-Driven Phishing-as-a-Service: GXC Team Raises the Stakes in Cybercrime
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
