APT28 Campaign Uses Webhook-Based Docs to Target Europe
🔎 S2 Grupo's LAB52 attributes a campaign codenamed Operation MacroMaze to the Russia-linked APT28, active from September 2025 through January 2026. The attackers used spear-phishing documents containing an INCLUDEPICTURE field that points to webhook[.]site URLs to confirm document opens and deploy macros that run VBScript and batch files. Payloads render Base64 HTML in Microsoft Edge, using headless or off-screen browsers to retrieve commands and exfiltrate output to webhook endpoints. LAB52 emphasizes the campaign's operational simplicity and reliance on legitimate services to reduce detection.
