A sophisticated new cyber campaign, dubbed “Operation MacroMaze,” has been attributed to the notorious Russia-linked state-sponsored threat actor, APT28. Targeting critical entities across Western and Central Europe, this operation, active from September 2025 to January 2026, showcases a chilling blend of simplicity and stealth, leveraging legitimate services for maximum impact and minimal detection.
Operation MacroMaze: A Deceptive Digital Web
Uncovered by S2 Grupo’s vigilant LAB52 threat intelligence team, Operation MacroMaze is a testament to APT28’s persistent evolution. The campaign’s initial vector is a classic yet effective one: spear-phishing emails. These meticulously crafted messages deliver lure documents designed to ensnare unsuspecting recipients.
The ingenuity lies within these seemingly innocuous documents. Embedded within their XML structure is a field named “INCLUDEPICTURE,” which discreetly points to a webhook[.]site
URL hosting a JPG image. The moment the document is opened, this image is fetched from the remote server, effectively acting as a digital beacon. Much like a tracking pixel, this mechanism triggers an outbound HTTP request, allowing the attackers to log metadata and confirm that the document has indeed been opened – a crucial first step in validating a target.
Evolving Evasion: Staying Ahead of Detection
LAB52’s analysis revealed a series of documents, all containing subtly modified macros, deployed throughout the campaign’s duration. While the core function of these macros remained consistent – acting as a dropper to establish a foothold and deliver subsequent payloads – their evasion techniques demonstrated a clear evolutionary path.
From Headless Browsers to Keyboard Simulation
Early iterations of the malware utilized ‘headless’ browser execution, a method where a web browser operates without a visible user interface, making its activity harder to spot. However, newer versions incorporated keyboard simulation (
SendKeys). This advanced technique allows the malware to mimic user input, potentially bypassing security prompts and automated detection systems that rely on visible user interaction.
The Multi-Stage Infection Chain
Once activated, the macro initiates a multi-stage infection process:
- It executes a Visual Basic Script (VBScript) to advance the infection.
- The VBScript, in turn, runs a Command (CMD) file to establish persistence on the compromised host, typically through scheduled tasks.
- A batch script is then launched, tasked with rendering a small, Base64-encoded HTML payload.
Crucially, this HTML payload is rendered within Microsoft Edge, initially in a ‘headless’ mode to maintain stealth. Its purpose is to retrieve further commands from a webhook[.]site endpoint, execute them, capture the output, and then exfiltrate this data to yet another webhook[.]site instance, disguised as an HTML file.
Off-Screen Tactics and Browser Control
A more advanced variant of the batch script takes evasion a step further. Instead of relying solely on headless execution, it moves the Edge browser window entirely off-screen, rendering it invisible to the user. Following this, it aggressively terminates all other Edge browser processes, ensuring a completely controlled environment for its malicious operations.
As LAB52 highlights, “When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction.” This ingenious browser-based exfiltration technique leverages standard HTML functionality, allowing data transmission while leaving minimal detectable artifacts on the disk.
Simplicity as a Weapon
The success of Operation MacroMaze underscores a critical lesson in cybersecurity: sophistication isn’t always about complex, never-before-seen exploits. As the cybersecurity firm aptly notes, “This campaign proves that simplicity can be powerful.” APT28’s attackers meticulously orchestrated basic tools – batch files, tiny VBS launchers, and simple HTML – to achieve maximum stealth.
By shifting operations into hidden or off-screen browser sessions, diligently cleaning up digital footprints, and outsourcing both payload delivery and data exfiltration to widely used webhook services, APT28 demonstrates a cunning ability to operate under the radar. This campaign serves as a stark reminder for organizations to remain vigilant against even the most seemingly rudimentary attack vectors, especially when wielded by state-sponsored adversaries.
For more details, visit our website.
Source: Link
Leave a comment