APT28 Operation MacroMaze: Webhook-Driven Macro Execution Targeting Western Europe

Executive Summary

Threat intelligence reports from S2 Grupo’s LAB52 have detailed a targeted cyber-espionage campaign designated Operation MacroMaze. Attributed to the Russian state-sponsored actor APT28 (also known as Fancy Bear or Forest Blizzard), the activity was active between September 2025 and January 2026. The operation targeted entities across Western and Central Europe, primarily utilizing macro-enabled documents and the exploitation of legitimate third-party services to facilitate initial access and command-and-control (C2) communications.

Technical Execution and TTPs

Operation MacroMaze is characterized by its use of low-complexity but high-reliability tooling. The attack chain typically begins with a spear-phishing document that contains embedded VBA macros. When executed, these macros initiate a series of reconnaissance commands to profile the host environment.

Webhook Integration for C2

A notable technical feature of this campaign is the abuse of legitimate webhook platforms for C2 infrastructure. By routing traffic through these services, APT28 achieves several tactical objectives:

• Traffic Obfuscation: C2 traffic blends with legitimate enterprise traffic to known SaaS providers, complicating signature-based detection.
• Evasion of Reputation-Based Filters: Legitimate service domains often carry high reputation scores, bypassing basic DNS and URL filtering mechanisms.
• Infrastructure Elasticity: The actors can dynamically change endpoints, making traditional IoC-based blocking less effective.

Initial Access and Discovery

The malware performs initial discovery by gathering system metadata, including OS versioning and network configuration. To defend against the underlying infrastructure vulnerabilities that these actors often look for once inside a network, organizations should perform continuous perimeter assessments and attack surface reviews to identify exposed services that could be used for lateral movement.

Attribution and Geopolitics

Attribution to APT28 is supported by the specific macro obfuscation techniques and the alignment of targets with Russian strategic interests in Europe. The focus on Central and Western European entities suggests a continued intelligence requirement related to regional diplomatic and defense policies.

Recommended Mitigations

• Macro Policies: Enforce restrictive Group Policy Objects (GPOs) to block macros in Office documents originating from the internet (Mark of the Web).
• Egress Monitoring: Implement deep packet inspection (DPI) to monitor outbound POST requests to known webhook and temporary data-hosting services.
• Host-Based Protections: Configure Endpoint Detection and Response (EDR) systems to flag anomalous process spawning from Microsoft Word or Excel, specifically PowerShell or CMD instances.
• Network Segmentation: Restrict the ability of compromised endpoints to reach critical internal infrastructure, limiting the scope of post-exploitation activity.